pfSense

The file browser on diag_edit.php does not encode directory names before display

Similar to #13262 which fixed problematic filenames, but directories can also trigger a similar issue both in the file/directory list and in the breadcrumb/directory path line.

Creating a directory named \'\>\"\>\<img\ src=q\ onerror=alert\(\'xss\'\)\;\> and then browsing to it will produce a JS alert.

A user who can create directories with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in directory names so tags cannot be closed.