pfSense

If you click the edit icon > display advanced > add view and then enter <script>alert(1)</script> it looks like it doesn't sanitize any input and chrome gives you an XSS warning and then you press back and the alert pops up.
In status_monitoring.php I think all that is needed is to escape the post variable $title. There are 2 sections one is under if($_POST['add-view']) and if ($_POST['save-view']) Changing this `$title = $_POST['view-title'];` to this `$title = htmlspecialchars($_POST['view-title']);` seems to work. You may want to check the javascript version of create-slug(); and add-view.onclick() It is suppose to check for duplicates but if you escape the HTML characters in PHP it doesn't match up and will let you put duplicates if they contain HTML characters.