Potential XSS from URL and URL Table alias URLs
The URL from a URL or URL Table type alias is not sanitized before display on
firewall_alias.php, which can potentially lead to a stored XSS when viewing the list of aliases on the URL or All tabs.
The URL from a URL table alias is also not sanitized when included in the alias popup on various firewall and NAT rule pages, but that mechanism has its own safety measures which prevent it from being a concern there. Even so, it's best to encode it in the popup.