Inconsistent use of htmlentities validation checks
Various pages have a loop through the input parameters ($_POST $_REQUEST etc) checking for htmlentities() that the user has tied to "sneak in". It is done a bit differently in different pages, e.g. see:
or not at all:
This means that on some GUI pages the user can put characters like double-quotes, "<", ">" in the description field, and in others they cannot. It makes for an inconsistent user experience.
Sort out what htmlentities() etc input validation is really needed to protect against??? and then implement it consistently across the code.
#2 Updated by Phillip Davis about 4 years ago
https://github.com/pfsense/pfsense/commit/11800cffd5bd0731596324cd4d26f829bf198174 allows users to put stuff like "&" or "<" in the description field.
The code is still inconsistent across pages, so needs some understanding of exactly what and why and then implement consistently.