fix(i18n): escape language strings in form fields to prevent them from disappearing

fixes #412
2024-01-24 16:48:23 +00:00 · 2024-01-24 16:48:23 +00:00 · 3cb5ffd25b
parent 5f3752b443
commit 3cb5ffd25b
47 changed files with 226 additions and 219 deletions
--- a/themes/cp_admin/contributor/create.php
+++ b/themes/cp_admin/contributor/create.php
@ -17,7 +17,7 @@
 <Forms.Field
    as="Select"
    name="user"
-    label="<?= lang('Contributor.form.user') ?>"
+    label="<?= esc(lang('Contributor.form.user')) ?>"
    options="<?= esc(json_encode($contributorOptions)) ?>"
    placeholder="<?= lang('Contributor.form.user_placeholder') ?>"
    required="true" />
@ -25,7 +25,7 @@
 <Forms.Field
    as="Select"
    name="role"
-    label="<?= lang('Contributor.form.role') ?>"
+    label="<?= esc(lang('Contributor.form.role')) ?>"
    options="<?= esc(json_encode($roleOptions)) ?>"
    placeholder="<?= lang('Contributor.form.role_placeholder') ?>"
    selected="<?= setting('AuthGroups.defaultPodcastGroup') ?>"
--- a/themes/cp_admin/contributor/edit.php
+++ b/themes/cp_admin/contributor/edit.php
@ -17,7 +17,7 @@
 <Forms.Field
    as="Select"
    name="role"
-    label="<?= lang('Contributor.form.role') ?>"
+    label="<?= esc(lang('Contributor.form.role')) ?>"
    options="<?= esc(json_encode($roleOptions)) ?>"
    selected="<?= $contributorGroup ?>"
    placeholder="<?= lang('Contributor.form.role_placeholder') ?>"
--- a/themes/cp_admin/episode/create.php
+++ b/themes/cp_admin/episode/create.php
@ -19,9 +19,9 @@

 <Forms.Field
    name="audio_file"
-    label="<?= lang('Episode.form.audio_file') ?>"
-    hint="<?= lang('Episode.form.audio_file_hint') ?>"
-    helper="<?= lang('Common.size_limit', [formatBytes(file_upload_max_size(), true)]) ?>"
+    label="<?= esc(lang('Episode.form.audio_file')) ?>"
+    hint="<?= esc(lang('Episode.form.audio_file_hint')) ?>"
+    helper="<?= esc(lang('Common.size_limit', [formatBytes(file_upload_max_size(), true)])) ?>"
    type="file"
    accept=".mp3,.m4a"
    required="true"
@ -30,16 +30,16 @@

 <Forms.Field
    name="cover"
-    label="<?= lang('Episode.form.cover') ?>"
-    hint="<?= lang('Episode.form.cover_hint') ?>"
-    helper="<?= lang('Episode.form.cover_size_hint') ?>"
+    label="<?= esc(lang('Episode.form.cover')) ?>"
+    hint="<?= esc(lang('Episode.form.cover_hint')) ?>"
+    helper="<?= esc(lang('Episode.form.cover_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="title"
-    label="<?= lang('Episode.form.title') ?>"
-    hint="<?= lang('Episode.form.title_hint') ?>"
+    label="<?= esc(lang('Episode.form.title')) ?>"
+    hint="<?= esc(lang('Episode.form.title_hint')) ?>"
    required="true"
    data-slugify="title" />

@ -55,14 +55,14 @@
    <Forms.Field
        class="flex-1 w-full"
        name="season_number"
-        label="<?= lang('Episode.form.season_number') ?>"
+        label="<?= esc(lang('Episode.form.season_number')) ?>"
        type="number"
        value="<?= $currentSeasonNumber ?>"
    />
    <Forms.Field
        class="flex-1 w-full"
        name="episode_number"
-        label="<?= lang('Episode.form.episode_number') ?>"
+        label="<?= esc(lang('Episode.form.episode_number')) ?>"
        type="number"
        value="<?= $nextEpisodeNumber ?>"
        required="<?= $podcast->type === 'serial' ? 'true' : 'false' ?>"
@ -74,17 +74,17 @@
 <Forms.RadioButton
    value="full"
    name="type"
-    hint="<?= lang('Episode.form.type.full_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.full_hint')) ?>"
    isChecked="true" ><?= lang('Episode.form.type.full') ?></Forms.RadioButton>
 <Forms.RadioButton
    value="trailer"
    name="type"
-    hint="<?= lang('Episode.form.type.trailer_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.trailer_hint')) ?>"
    isChecked="false" ><?= lang('Episode.form.type.trailer') ?></Forms.RadioButton>    
 <Forms.RadioButton
    value="bonus"
    name="type"
-    hint="<?= lang('Episode.form.type.bonus_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.bonus_hint')) ?>"
    isChecked="false" ><?= lang('Episode.form.type.bonus') ?></Forms.RadioButton>
 </fieldset>

@ -119,15 +119,15 @@
 <Forms.Field
    as="MarkdownEditor"
    name="description"
-    label="<?= lang('Episode.form.description') ?>"
+    label="<?= esc(lang('Episode.form.description')) ?>"
    required="true"
    disallowList="header,quote" />

 <Forms.Field
    as="MarkdownEditor"
    name="description_footer"
-    label="<?= lang('Episode.form.description_footer') ?>"
-    hint="<?= lang('Episode.form.description_footer_hint') ?>"
+    label="<?= esc(lang('Episode.form.description_footer')) ?>"
+    hint="<?= esc(lang('Episode.form.description_footer_hint')) ?>"
    value="<?= esc($podcast->episode_description_footer_markdown) ?? '' ?>"
    disallowList="header,quote" />

@ -144,8 +144,8 @@
 >
 <Forms.Field
    name="location_name"
-    label="<?= lang('Episode.form.location_name') ?>"
-    hint="<?= lang('Episode.form.location_name_hint') ?>" />
+    label="<?= esc(lang('Episode.form.location_name')) ?>"
+    hint="<?= esc(lang('Episode.form.location_name_hint')) ?>" />
 </Forms.Section>

 <Forms.Section
@ -212,11 +212,11 @@
 <Forms.Field 
    as="XMLEditor"
    name="custom_rss"
-    label="<?= lang('Episode.form.custom_rss') ?>"
-    hint="<?= lang('Episode.form.custom_rss_hint') ?>"
+    label="<?= esc(lang('Episode.form.custom_rss')) ?>"
+    hint="<?= esc(lang('Episode.form.custom_rss_hint')) ?>"
 />

-<Forms.Toggler name="block" value="yes" checked="false" hint="<?= lang('Episode.form.block_hint') ?>"><?= lang('Episode.form.block') ?></Forms.Toggler>
+<Forms.Toggler name="block" value="yes" checked="false" hint="<?= esc(lang('Episode.form.block_hint')) ?>"><?= lang('Episode.form.block') ?></Forms.Toggler>

 </Forms.Section>

--- a/themes/cp_admin/episode/edit.php
+++ b/themes/cp_admin/episode/edit.php
@ -23,9 +23,9 @@

 <Forms.Field
    name="audio_file"
-    label="<?= lang('Episode.form.audio_file') ?>"
-    hint="<?= lang('Episode.form.audio_file_hint') ?>"
-    helper="<?= lang('Common.size_limit', [formatBytes(file_upload_max_size(), true)]) ?>"
+    label="<?= esc(lang('Episode.form.audio_file')) ?>"
+    hint="<?= esc(lang('Episode.form.audio_file_hint')) ?>"
+    helper="<?= esc(lang('Common.size_limit', [formatBytes(file_upload_max_size(), true)])) ?>"
    type="file"
    accept=".mp3,.m4a"
    data-max-size="<?= file_upload_max_size() ?>"
@ -33,16 +33,16 @@

 <Forms.Field
    name="cover"
-    label="<?= lang('Episode.form.cover') ?>"
-    hint="<?= lang('Episode.form.cover_hint') ?>"
-    helper="<?= lang('Episode.form.cover_size_hint') ?>"
+    label="<?= esc(lang('Episode.form.cover')) ?>"
+    hint="<?= esc(lang('Episode.form.cover_hint')) ?>"
+    helper="<?= esc(lang('Episode.form.cover_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="title"
-    label="<?= lang('Episode.form.title') ?>"
-    hint="<?= lang('Episode.form.title_hint') ?>"
+    label="<?= esc(lang('Episode.form.title')) ?>"
+    hint="<?= esc(lang('Episode.form.title_hint')) ?>"
    value="<?= esc($episode->title) ?>"
    required="true"
    data-slugify="title" />
@ -59,14 +59,14 @@
    <Forms.Field
        class="flex-1 w-full"
        name="season_number"
-        label="<?= lang('Episode.form.season_number') ?>"
+        label="<?= esc(lang('Episode.form.season_number')) ?>"
        type="number"
        value="<?= $episode->season_number ?>"
    />
    <Forms.Field
        class="flex-1 w-full"
        name="episode_number"
-        label="<?= lang('Episode.form.episode_number') ?>"
+        label="<?= esc(lang('Episode.form.episode_number')) ?>"
        type="number"
        value="<?= $episode->number ?>"
        required="<?= $podcast->type === 'serial' ? 'true' : 'false' ?>"
@ -78,17 +78,17 @@
 <Forms.RadioButton
    value="full"
    name="type"
-    hint="<?= lang('Episode.form.type.full_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.full_hint')) ?>"
    isChecked="<?= $episode->type === 'full' ? 'true' : 'false' ?>" ><?= lang('Episode.form.type.full') ?></Forms.RadioButton>
 <Forms.RadioButton
    value="trailer"
    name="type"
-    hint="<?= lang('Episode.form.type.trailer_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.trailer_hint')) ?>"
    isChecked="<?= $episode->type === 'trailer' ? 'true' : 'false' ?>" ><?= lang('Episode.form.type.trailer') ?></Forms.RadioButton>    
 <Forms.RadioButton
    value="bonus"
    name="type"
-    hint="<?= lang('Episode.form.type.bonus_hint') ?>"
+    hint="<?= esc(lang('Episode.form.type.bonus_hint')) ?>"
    isChecked="<?= $episode->type === 'bonus' ? 'true' : 'false' ?>" ><?= lang('Episode.form.type.bonus') ?></Forms.RadioButton>
 </fieldset>

@ -120,7 +120,7 @@
 <Forms.Field
    as="MarkdownEditor"
    name="description"
-    label="<?= lang('Episode.form.description') ?>"
+    label="<?= esc(lang('Episode.form.description')) ?>"
    value="<?= esc($episode->description_markdown) ?>"
    required="true"
    disallowList="header,quote" />
@ -128,8 +128,8 @@
 <Forms.Field
    as="MarkdownEditor"
    name="description_footer"
-    label="<?= lang('Episode.form.description_footer') ?>"
-    hint="<?= lang('Episode.form.description_footer_hint') ?>"
+    label="<?= esc(lang('Episode.form.description_footer')) ?>"
+    hint="<?= esc(lang('Episode.form.description_footer_hint')) ?>"
    value="<?= esc($podcast->episode_description_footer_markdown) ?? '' ?>"
    disallowList="header,quote" />

@ -146,8 +146,8 @@
 >
 <Forms.Field
    name="location_name"
-    label="<?= lang('Episode.form.location_name') ?>"
-    hint="<?= lang('Episode.form.location_name_hint') ?>"
+    label="<?= esc(lang('Episode.form.location_name')) ?>"
+    hint="<?= esc(lang('Episode.form.location_name_hint')) ?>"
    value="<?= esc($episode->location_name) ?>" />
 </Forms.Section>

@ -269,12 +269,12 @@
 <Forms.Field 
    as="XMLEditor"
    name="custom_rss"
-    label="<?= lang('Episode.form.custom_rss') ?>"
-    hint="<?= lang('Episode.form.custom_rss_hint') ?>"
+    label="<?= esc(lang('Episode.form.custom_rss')) ?>"
+    hint="<?= esc(lang('Episode.form.custom_rss_hint')) ?>"
    content="<?= esc($episode->custom_rss_string) ?>"
 />

-<Forms.Toggler id="block" name="block" value="yes" checked="<?= $episode->is_blocked ? 'true' : 'false' ?>" hint="<?= lang('Episode.form.block_hint') ?>"><?= lang('Episode.form.block') ?></Forms.Toggler>
+<Forms.Toggler id="block" name="block" value="yes" checked="<?= $episode->is_blocked ? 'true' : 'false' ?>" hint="<?= esc(lang('Episode.form.block_hint')) ?>"><?= lang('Episode.form.block') ?></Forms.Toggler>

 </Forms.Section>

--- a/themes/cp_admin/episode/persons.php
+++ b/themes/cp_admin/episode/persons.php
@ -26,8 +26,8 @@
        as="MultiSelect"
        id="persons"
        name="persons[]"
-        label="<?= lang('Person.episode_form.persons') ?>"
-        hint="<?= lang('Person.episode_form.persons_hint') ?>"
+        label="<?= esc(lang('Person.episode_form.persons')) ?>"
+        hint="<?= esc(lang('Person.episode_form.persons_hint')) ?>"
        options="<?= esc(json_encode($personOptions)) ?>"
        selected="<?= esc(json_encode(old('persons', []))) ?>"
        required="true"
@ -37,8 +37,8 @@
        as="MultiSelect"
        id="roles"
        name="roles[]"
-        label="<?= lang('Person.episode_form.roles') ?>"
-        hint="<?= lang('Person.episode_form.roles_hint') ?>"
+        label="<?= esc(lang('Person.episode_form.roles')) ?>"
+        hint="<?= esc(lang('Person.episode_form.roles_hint')) ?>"
        options="<?= esc(json_encode($taxonomyOptions)) ?>"
        selected="<?= esc(json_encode(old('roles', []))) ?>"
    />
--- a/themes/cp_admin/episode/publish.php
+++ b/themes/cp_admin/episode/publish.php
@ -84,8 +84,8 @@
                <Forms.Field
                    as="DatetimePicker"
                    name="scheduled_publication_date"
-                    label="<?= lang('Episode.publish_form.scheduled_publication_date') ?>"
-                    hint="<?= lang('Episode.publish_form.scheduled_publication_date_hint') ?>"
+                    label="<?= esc(lang('Episode.publish_form.scheduled_publication_date')) ?>"
+                    hint="<?= esc(lang('Episode.publish_form.scheduled_publication_date_hint')) ?>"
                    value="<?= $episode->published_at ?>"
                />
            </div>
--- a/themes/cp_admin/episode/publish_date_edit.php
+++ b/themes/cp_admin/episode/publish_date_edit.php
@ -25,8 +25,8 @@
 <Forms.Field
    as="DatetimePicker"
    name="new_publication_date"
-    label="<?= lang('Episode.publish_date_edit_form.new_publication_date') ?>"
-    hint="<?= lang('Episode.publish_date_edit_form.new_publication_date_hint') ?>"
+    label="<?= esc(lang('Episode.publish_date_edit_form.new_publication_date')) ?>"
+    hint="<?= esc(lang('Episode.publish_date_edit_form.new_publication_date_hint')) ?>"
    value="<?= $episode->published_at ?>"
    required="true"
 />
--- a/themes/cp_admin/episode/publish_edit.php
+++ b/themes/cp_admin/episode/publish_edit.php
@ -88,8 +88,8 @@
                <Forms.Field
                    as="DatetimePicker"
                    name="scheduled_publication_date"
-                    label="<?= lang('Episode.publish_form.scheduled_publication_date') ?>"
-                    hint="<?= lang('Episode.publish_form.scheduled_publication_date_hint') ?>"
+                    label="<?= esc(lang('Episode.publish_form.scheduled_publication_date')) ?>"
+                    hint="<?= esc(lang('Episode.publish_form.scheduled_publication_date_hint')) ?>"
                    value="<?= $episode->published_at ?>"
                />
            </div>
--- a/themes/cp_admin/episode/soundbites_new.php
+++ b/themes/cp_admin/episode/soundbites_new.php
@ -16,7 +16,7 @@

    <Forms.Field
        name="title"
-        label="<?= lang('Soundbite.form.soundbite_title') ?>"
+        label="<?= esc(lang('Soundbite.form.soundbite_title')) ?>"
        required="true"
        class="max-w-sm"
    />
--- a/themes/cp_admin/episode/video_clips_new.php
+++ b/themes/cp_admin/episode/video_clips_new.php
@ -36,7 +36,7 @@ use Modules\MediaClipper\Config\MediaClipper;
    <Forms.Section title="<?= lang('VideoClip.form.params_section_title') ?>" >
        <Forms.Field
            name="title"
-            label="<?= lang('VideoClip.form.clip_title') ?>"
+            label="<?= esc(lang('VideoClip.form.clip_title')) ?>"
            required="true"
        />
        <fieldset class="flex flex-wrap gap-x-1 gap-y-2">
@ -46,17 +46,17 @@ use Modules\MediaClipper\Config\MediaClipper;
                name="format"
                isChecked="true"
                required="true"
-                hint="<?= lang('VideoClip.form.format.landscape_hint') ?>"><?= lang('VideoClip.format.landscape') ?></Forms.RadioButton>
+                hint="<?= esc(lang('VideoClip.form.format.landscape_hint')) ?>"><?= lang('VideoClip.format.landscape') ?></Forms.RadioButton>
            <Forms.RadioButton
                value="portrait"
                name="format"
                required="true"
-                hint="<?= lang('VideoClip.form.format.portrait_hint') ?>"><?= lang('VideoClip.format.portrait') ?></Forms.RadioButton>
+                hint="<?= esc(lang('VideoClip.form.format.portrait_hint')) ?>"><?= lang('VideoClip.format.portrait') ?></Forms.RadioButton>
            <Forms.RadioButton
                value="squared"
                name="format"
                required="true"
-                hint="<?= lang('VideoClip.form.format.squared_hint') ?>"><?= lang('VideoClip.format.squared') ?></Forms.RadioButton>
+                hint="<?= esc(lang('VideoClip.form.format.squared_hint')) ?>"><?= lang('VideoClip.format.squared') ?></Forms.RadioButton>
        </fieldset>
        <fieldset>
            <legend><?= lang('VideoClip.form.theme') ?></legend>
--- a/themes/cp_admin/fediverse/blocked_actors.php
+++ b/themes/cp_admin/fediverse/blocked_actors.php
@ -14,7 +14,11 @@
 <form action="<?= route_to('fediverse-attempt-block-actor') ?>" method="POST" class="flex flex-col max-w-md">
    <?= csrf_field() ?>

-    <Forms.Field name="handle" label="<?= lang('Fediverse.block_lists_form.handle') ?>" hint="<?= lang('Fediverse.block_lists_form.handle_hint') ?>" required="true" />
+    <Forms.Field
+        name="handle"
+        label="<?= esc(lang('Fediverse.block_lists_form.handle')) ?>"
+        hint="<?= esc(lang('Fediverse.block_lists_form.handle_hint')) ?>"
+        required="true" />
    <Button variant="primary" type="submit" class="self-end"><?= lang('Fediverse.block_lists_form.submit') ?></Button>
 </form>

--- a/themes/cp_admin/fediverse/blocked_domains.php
+++ b/themes/cp_admin/fediverse/blocked_domains.php
@ -14,7 +14,10 @@
 <form action="<?= route_to('fediverse-attempt-block-domain') ?>" method="POST" class="flex flex-col max-w-md">
    <?= csrf_field() ?>

-    <Forms.Field name="domain" label="<?= lang('Fediverse.block_lists_form.domain') ?>" required="true" />
+    <Forms.Field
+        name="domain"
+        label="<?= esc(lang('Fediverse.block_lists_form.domain')) ?>"
+        required="true" />
    <Button variant="primary" type="submit" class="self-end"><?= lang('Fediverse.block_lists_form.submit') ?></Button>
 </form>

--- a/themes/cp_admin/import/add_to_queue.php
+++ b/themes/cp_admin/import/add_to_queue.php
@ -18,8 +18,8 @@
 <Alert glyph="scales" variant="info" title="<?= lang('PodcastImport.old_podcast_legal_disclaimer_title') ?>"><?= lang('PodcastImport.old_podcast_legal_disclaimer') ?></Alert>
 <Forms.Field
    name="imported_feed_url"
-    label="<?= lang('PodcastImport.imported_feed_url') ?>"
-    hint="<?= lang('PodcastImport.imported_feed_url_hint') ?>"
+    label="<?= esc(lang('PodcastImport.imported_feed_url')) ?>"
+    hint="<?= esc(lang('PodcastImport.imported_feed_url_hint')) ?>"
    placeholder="https://…"
    type="url"
    required="true" />
@ -30,7 +30,7 @@
    title="<?= lang('PodcastImport.new_podcast_section_title') ?>" >

 <div class="flex flex-col">
-    <Forms.Label for="handle" hint="<?= lang('Podcast.form.handle_hint') ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
+    <Forms.Label for="handle" hint="<?= esc(lang('Podcast.form.handle_hint')) ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
    <div class="relative">
        <Icon glyph="at" class="absolute inset-0 h-full text-xl opacity-40 left-3" />
        <Forms.Input name="handle" class="w-full pl-8" required="true" />
@ -40,7 +40,7 @@
 <Forms.Field
    as="Select"
    name="language"
-    label="<?= lang('Podcast.form.language') ?>"
+    label="<?= esc(lang('Podcast.form.language')) ?>"
    selected="<?= $browserLang ?>"
    required="true"
    options="<?= esc(json_encode($languageOptions)) ?>" />
@ -48,7 +48,7 @@
 <Forms.Field
    as="Select"
    name="category"
-    label="<?= lang('Podcast.form.category') ?>"
+    label="<?= esc(lang('Podcast.form.category')) ?>"
    required="true"
    options="<?= esc(json_encode($categoryOptions)) ?>" />

--- a/themes/cp_admin/import/podcast_sync.php
+++ b/themes/cp_admin/import/podcast_sync.php
@ -13,8 +13,8 @@
    <?= csrf_field() ?>
    <Forms.Field
        name="feed_url"
-        label="<?= lang('PodcastImport.syncForm.feed_url') ?>"
-        hint="<?= lang('PodcastImport.syncForm.feed_url_hint') ?>"
+        label="<?= esc(lang('PodcastImport.syncForm.feed_url')) ?>"
+        hint="<?= esc(lang('PodcastImport.syncForm.feed_url_hint')) ?>"
        required="true"
        value="<?= $podcast->imported_feed_url ?? '' ?>"
    />
--- a/themes/cp_admin/my_account/change_password.php
+++ b/themes/cp_admin/my_account/change_password.php
@ -15,12 +15,12 @@
    <?= csrf_field() ?>
    <Forms.Field
        name="password"
-        label="<?= lang('User.form.password') ?>"
+        label="<?= esc(lang('User.form.password')) ?>"
        required="true"
        type="password" />
    <Forms.Field
        name="new_password"
-        label="<?= lang('User.form.new_password') ?>"
+        label="<?= esc(lang('User.form.new_password')) ?>"
        required="true"
        type="password"
        autocomplete="new-password" />
--- a/themes/cp_admin/page/create.php
+++ b/themes/cp_admin/page/create.php
@ -16,7 +16,7 @@

 <Forms.Field
    name="title"
-    label="<?= lang('Page.form.title') ?>"
+    label="<?= esc(lang('Page.form.title')) ?>"
    required="true"
    data-slugify="title"
    class="max-w-sm" />
@ -32,7 +32,7 @@
 <Forms.Field
    as="MarkdownEditor"
    name="content"
-    label="<?= lang('Page.form.content') ?>"
+    label="<?= esc(lang('Page.form.content')) ?>"
    required="true"
    rows="20" />

--- a/themes/cp_admin/page/edit.php
+++ b/themes/cp_admin/page/edit.php
@ -16,7 +16,7 @@

 <Forms.Field
    name="title"
-    label="<?= lang('Page.form.title') ?>"
+    label="<?= esc(lang('Page.form.title')) ?>"
    required="true"
    data-slugify="title"
    value="<?= esc($page->title) ?>"
@ -34,7 +34,7 @@
 <Forms.Field
    as="MarkdownEditor"
    name="content"
-    label="<?= lang('Page.form.content') ?>"
+    label="<?= esc(lang('Page.form.content')) ?>"
    value="<?= esc($page->content_markdown) ?>"
    required="true"
    rows="20" />
--- a/themes/cp_admin/person/create.php
+++ b/themes/cp_admin/person/create.php
@ -16,28 +16,28 @@

 <Forms.Field
    name="avatar"
-    label="<?= lang('Person.form.avatar') ?>"
-    helper="<?= lang('Person.form.avatar_size_hint') ?>"
+    label="<?= esc(lang('Person.form.avatar')) ?>"
+    helper="<?= esc(lang('Person.form.avatar_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="full_name"
-    label="<?= lang('Person.form.full_name') ?>"
-    hint="<?= lang('Person.form.full_name_hint') ?>"
+    label="<?= esc(lang('Person.form.full_name')) ?>"
+    hint="<?= esc(lang('Person.form.full_name_hint')) ?>"
    required="true"
    data-slugify="title" />

 <Forms.Field
    name="unique_name"
-    label="<?= lang('Person.form.unique_name') ?>"
-    hint="<?= lang('Person.form.unique_name_hint') ?>"
+    label="<?= esc(lang('Person.form.unique_name')) ?>"
+    hint="<?= esc(lang('Person.form.unique_name_hint')) ?>"
    required="true"
    data-slugify="slug" />
 <Forms.Field
    name="information_url"
-    label="<?= lang('Person.form.information_url') ?>"
-    hint="<?= lang('Person.form.information_url_hint') ?>" />
+    label="<?= esc(lang('Person.form.information_url')) ?>"
+    hint="<?= esc(lang('Person.form.information_url_hint')) ?>" />

 <Button variant="primary" class="self-end" type="submit"><?= lang('Person.form.submit_create') ?></Button>

--- a/themes/cp_admin/person/edit.php
+++ b/themes/cp_admin/person/edit.php
@ -16,31 +16,31 @@

 <Forms.Field
    name="avatar"
-    label="<?= lang('Person.form.avatar') ?>"
-    helper="<?= lang('Person.form.avatar_size_hint') ?>"
+    label="<?= esc(lang('Person.form.avatar')) ?>"
+    helper="<?= esc(lang('Person.form.avatar_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="full_name"
    value="<?= esc($person->full_name) ?>"
-    label="<?= lang('Person.form.full_name') ?>"
-    hint="<?= lang('Person.form.full_name_hint') ?>"
+    label="<?= esc(lang('Person.form.full_name')) ?>"
+    hint="<?= esc(lang('Person.form.full_name_hint')) ?>"
    required="true"
    data-slugify="title" />

 <Forms.Field
    name="unique_name"
    value="<?= esc($person->unique_name) ?>"
-    label="<?= lang('Person.form.unique_name') ?>"
-    hint="<?= lang('Person.form.unique_name_hint') ?>"
+    label="<?= esc(lang('Person.form.unique_name')) ?>"
+    hint="<?= esc(lang('Person.form.unique_name_hint')) ?>"
    required="true"
    data-slugify="slug" />

 <Forms.Field
    name="information_url"
-    label="<?= lang('Person.form.information_url') ?>"
-    hint="<?= lang('Person.form.information_url_hint') ?>"
+    label="<?= esc(lang('Person.form.information_url')) ?>"
+    hint="<?= esc(lang('Person.form.information_url_hint')) ?>"
    value="<?= esc($person->information_url) ?>" />

 <Button variant="primary" class="self-end" type="submit"><?= lang('Person.form.submit_edit') ?></Button>
--- a/themes/cp_admin/podcast/create.php
+++ b/themes/cp_admin/podcast/create.php
@ -23,21 +23,21 @@

 <Forms.Field
    name="cover"
-    label="<?= lang('Podcast.form.cover') ?>"
-    helper="<?= lang('Podcast.form.cover_size_hint') ?>"
+    label="<?= esc(lang('Podcast.form.cover')) ?>"
+    helper="<?= esc(lang('Podcast.form.cover_size_hint')) ?>"
    type="file"
    required="true"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="title"
-    label="<?= lang('Podcast.form.title') ?>"
+    label="<?= esc(lang('Podcast.form.title')) ?>"
    required="true" />

 <Forms.Field
    as="MarkdownEditor"
    name="description"
-    label="<?= lang('Podcast.form.description') ?>"
+    label="<?= esc(lang('Podcast.form.description')) ?>"
    required="true"
    disallowList="header,quote" />

@ -47,12 +47,12 @@
        <Forms.RadioButton
            value="episodic"
            name="type"
-            hint="<?= lang('Podcast.form.type.episodic_hint') ?>"
+            hint="<?= esc(lang('Podcast.form.type.episodic_hint')) ?>"
            isChecked="true'" ><?= lang('Podcast.form.type.episodic') ?></Forms.RadioButton>
        <Forms.RadioButton
            value="serial"
            name="type"
-            hint="<?= lang('Podcast.form.type.serial_hint') ?>"
+            hint="<?= esc(lang('Podcast.form.type.serial_hint')) ?>"
            isChecked="false" ><?= lang('Podcast.form.type.serial') ?></Forms.RadioButton>
    </div>
 </fieldset>
@ -65,7 +65,7 @@
    <Forms.Field
        as="Select"
        name="language"
-        label="<?= lang('Podcast.form.language') ?>"
+        label="<?= esc(lang('Podcast.form.language')) ?>"
        selected="<?= $browserLang ?>"
        required="true"
        options="<?= esc(json_encode($languageOptions)) ?>" />
@ -73,14 +73,14 @@
    <Forms.Field
        as="Select"
        name="category"
-        label="<?= lang('Podcast.form.category') ?>"
+        label="<?= esc(lang('Podcast.form.category')) ?>"
        required="true"
        options="<?= esc(json_encode($categoryOptions)) ?>" />

    <Forms.Field
        as="MultiSelect"
        name="other_categories[]"
-        label="<?= lang('Podcast.form.other_categories') ?>"
+        label="<?= esc(lang('Podcast.form.other_categories')) ?>"
        data-max-item-count="2"
        options="<?= esc(json_encode($categoryOptions)) ?>" />

@ -110,28 +110,28 @@

 <Forms.Field
    name="owner_name"
-    label="<?= lang('Podcast.form.owner_name') ?>"
-    hint="<?= lang('Podcast.form.owner_name_hint') ?>"
+    label="<?= esc(lang('Podcast.form.owner_name')) ?>"
+    hint="<?= esc(lang('Podcast.form.owner_name_hint')) ?>"
    required="true" />

 <Forms.Field
    name="owner_email"
    type="email"
-    label="<?= lang('Podcast.form.owner_email') ?>"
-    hint="<?= lang('Podcast.form.owner_email_hint') ?>"
+    label="<?= esc(lang('Podcast.form.owner_email')) ?>"
+    hint="<?= esc(lang('Podcast.form.owner_email_hint')) ?>"
    required="true" />

-<Forms.Toggler class="mt-2" name="is_owner_email_removed_from_feed" value="yes" checked="false" hint="<?= lang('Podcast.form.is_owner_email_removed_from_feed_hint') ?>">
+<Forms.Toggler class="mt-2" name="is_owner_email_removed_from_feed" value="yes" checked="false" hint="<?= esc(lang('Podcast.form.is_owner_email_removed_from_feed_hint')) ?>">
    <?= lang('Podcast.form.is_owner_email_removed_from_feed') ?></Forms.Toggler>

 <Forms.Field
    name="publisher"
-    label="<?= lang('Podcast.form.publisher') ?>"
-    hint="<?= lang('Podcast.form.publisher_hint') ?>" />
+    label="<?= esc(lang('Podcast.form.publisher')) ?>"
+    hint="<?= esc(lang('Podcast.form.publisher_hint')) ?>" />

 <Forms.Field
    name="copyright"
-    label="<?= lang('Podcast.form.copyright') ?>" />
+    label="<?= esc(lang('Podcast.form.copyright')) ?>" />

 </Forms.Section>

@ -139,7 +139,7 @@
    title="<?= lang('Podcast.form.fediverse_section_title') ?>" >
    
    <div class="flex flex-col">
-        <Forms.Label for="handle" hint="<?= lang('Podcast.form.handle_hint') ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
+        <Forms.Label for="handle" hint="<?= esc(lang('Podcast.form.handle_hint')) ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
        <div class="relative">
            <Icon glyph="at" class="absolute inset-0 h-full text-xl opacity-40 left-3" />
            <Forms.Input name="handle" class="w-full pl-8" required="true" />
@ -148,14 +148,14 @@

    <Forms.Field
        name="banner"
-        label="<?= lang('Podcast.form.banner') ?>"
-        helper="<?= lang('Podcast.form.banner_size_hint') ?>"
+        label="<?= esc(lang('Podcast.form.banner')) ?>"
+        helper="<?= esc(lang('Podcast.form.banner_size_hint')) ?>"
        type="file"
        accept=".jpg,.jpeg,.png" />
 </Forms.Section>

 <Forms.Section title="<?= lang('Podcast.form.premium') ?>">
-    <Forms.Toggler class="mt-2" name="premium_by_default" value="yes" checked="false" hint="<?= lang('Podcast.form.premium_by_default_hint') ?>">
+    <Forms.Toggler class="mt-2" name="premium_by_default" value="yes" checked="false" hint="<?= esc(lang('Podcast.form.premium_by_default_hint')) ?>">
        <?= lang('Podcast.form.premium_by_default') ?></Forms.Toggler>
 </Forms.Section>

@ -164,7 +164,7 @@
    subtitle="<?= lang('Podcast.form.op3_hint') ?>">

    <a href="https://op3.dev" target="_blank" rel="noopener noreferrer" class="inline-flex self-start text-xs font-semibold underline gap-x-1 text-skin-muted hover:no-underline focus:ring-accent"><Icon glyph="link" class="text-sm"/>op3.dev</a>
-    <Forms.Toggler name="enable_op3" value="yes" checked="false" hint="<?= lang('Podcast.form.op3_enable_hint') ?>"><?= lang('Podcast.form.op3_enable') ?></Forms.Toggler>
+    <Forms.Toggler name="enable_op3" value="yes" checked="false" hint="<?= esc(lang('Podcast.form.op3_enable_hint')) ?>"><?= lang('Podcast.form.op3_enable') ?></Forms.Toggler>
 </Forms.Section>

 <Forms.Section
@ -173,8 +173,8 @@

 <Forms.Field
    name="location_name"
-    label="<?= lang('Podcast.form.location_name') ?>"
-    hint="<?= lang('Podcast.form.location_name_hint') ?>" />
+    label="<?= esc(lang('Podcast.form.location_name')) ?>"
+    hint="<?= esc(lang('Podcast.form.location_name_hint')) ?>" />

 </Forms.Section>

@ -184,13 +184,13 @@
 <Forms.Field
    as="XMLEditor"
    name="custom_rss"
-    label="<?= lang('Podcast.form.custom_rss') ?>"
-    hint="<?= lang('Podcast.form.custom_rss_hint') ?>" />
+    label="<?= esc(lang('Podcast.form.custom_rss')) ?>"
+    hint="<?= esc(lang('Podcast.form.custom_rss_hint')) ?>" />

-<Forms.Toggler class="mb-2" name="lock" value="yes" checked="true" hint="<?= lang('Podcast.form.lock_hint') ?>">
+<Forms.Toggler class="mb-2" name="lock" value="yes" checked="true" hint="<?= esc(lang('Podcast.form.lock_hint')) ?>">
    <?= lang('Podcast.form.lock') ?>
 </Forms.Toggler>
-<Forms.Toggler class="mb-2" name="block" value="yes" checked="false" hint="<?= lang('Podcast.form.block_hint') ?>">
+<Forms.Toggler class="mb-2" name="block" value="yes" checked="false" hint="<?= esc(lang('Podcast.form.block_hint')) ?>">
    <?= lang('Podcast.form.block') ?>
 </Forms.Toggler>
 <Forms.Toggler name="complete" value="yes" checked="false">
--- a/themes/cp_admin/podcast/edit.php
+++ b/themes/cp_admin/podcast/edit.php
@ -44,21 +44,21 @@

 <Forms.Field
    name="cover"
-    label="<?= lang('Podcast.form.cover') ?>"
-    helper="<?= lang('Podcast.form.cover_size_hint') ?>"
+    label="<?= esc(lang('Podcast.form.cover')) ?>"
+    helper="<?= esc(lang('Podcast.form.cover_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 <Forms.Field
    name="title"
-    label="<?= lang('Podcast.form.title') ?>"
+    label="<?= esc(lang('Podcast.form.title')) ?>"
    value="<?= esc($podcast->title) ?>"
    required="true" />

 <Forms.Field
    as="MarkdownEditor"
    name="description"
-    label="<?= lang('Podcast.form.description') ?>"
+    label="<?= esc(lang('Podcast.form.description')) ?>"
    value="<?= esc($podcast->description_markdown) ?>"
    required="true"
    disallowList="header,quote" />
@ -69,12 +69,12 @@
        <Forms.RadioButton
            value="episodic"
            name="type"
-            hint="<?= lang('Podcast.form.type.episodic_hint') ?>"
+            hint="<?= esc(lang('Podcast.form.type.episodic_hint')) ?>"
            isChecked="<?= $podcast->type === 'episodic' ? 'true' : 'false' ?>" ><?= lang('Podcast.form.type.episodic') ?></Forms.RadioButton>
        <Forms.RadioButton
            value="serial"
            name="type"
-            hint="<?= lang('Podcast.form.type.serial_hint') ?>"
+            hint="<?= esc(lang('Podcast.form.type.serial_hint')) ?>"
            isChecked="<?= $podcast->type === 'serial' ? 'true' : 'false' ?>" ><?= lang('Podcast.form.type.serial') ?></Forms.RadioButton>
    </div>
 </fieldset>
@ -87,7 +87,7 @@
    <Forms.Field
        as="Select"
        name="language"
-        label="<?= lang('Podcast.form.language') ?>"
+        label="<?= esc(lang('Podcast.form.language')) ?>"
        selected="<?= $podcast->language_code ?>"
        options="<?= esc(json_encode($languageOptions)) ?>"
        required="true" />
@ -95,7 +95,7 @@
    <Forms.Field
        as="Select"
        name="category"
-        label="<?= lang('Podcast.form.category') ?>"
+        label="<?= esc(lang('Podcast.form.category')) ?>"
        selected="<?= $podcast->category_id ?>"
        options="<?= esc(json_encode($categoryOptions)) ?>"
        required="true" />
@ -103,7 +103,7 @@
    <Forms.Field
        as="MultiSelect"
        name="other_categories[]"
-        label="<?= lang('Podcast.form.other_categories') ?>"
+        label="<?= esc(lang('Podcast.form.other_categories')) ?>"
        data-max-item-count="2"
        selected="<?= esc(json_encode($podcast->other_categories_ids)) ?>"
        options="<?= esc(json_encode($categoryOptions)) ?>" />
@ -134,31 +134,31 @@

 <Forms.Field
    name="owner_name"
-    label="<?= lang('Podcast.form.owner_name') ?>"
+    label="<?= esc(lang('Podcast.form.owner_name')) ?>"
    value="<?= esc($podcast->owner_name) ?>"
-    hint="<?= lang('Podcast.form.owner_name_hint') ?>"
+    hint="<?= esc(lang('Podcast.form.owner_name_hint')) ?>"
    required="true" />

 <Forms.Field
    name="owner_email"
    type="email"
-    label="<?= lang('Podcast.form.owner_email') ?>"
+    label="<?= esc(lang('Podcast.form.owner_email')) ?>"
    value="<?= esc($podcast->owner_email) ?>"
-    hint="<?= lang('Podcast.form.owner_email_hint') ?>"
+    hint="<?= esc(lang('Podcast.form.owner_email_hint')) ?>"
    required="true" />

-<Forms.Toggler class="mt-2" name="is_owner_email_removed_from_feed" value="yes" checked="<?= $podcast->is_owner_email_removed_from_feed ? 'true' : 'false' ?>" hint="<?= lang('Podcast.form.is_owner_email_removed_from_feed_hint') ?>">
+<Forms.Toggler class="mt-2" name="is_owner_email_removed_from_feed" value="yes" checked="<?= $podcast->is_owner_email_removed_from_feed ? 'true' : 'false' ?>" hint="<?= esc(lang('Podcast.form.is_owner_email_removed_from_feed_hint')) ?>">
    <?= lang('Podcast.form.is_owner_email_removed_from_feed') ?></Forms.Toggler>

 <Forms.Field
    name="publisher"
-    label="<?= lang('Podcast.form.publisher') ?>"
+    label="<?= esc(lang('Podcast.form.publisher')) ?>"
    value="<?= esc($podcast->publisher) ?>"
-    hint="<?= lang('Podcast.form.publisher_hint') ?>" />
+    hint="<?= esc(lang('Podcast.form.publisher_hint')) ?>" />

 <Forms.Field
    name="copyright"
-    label="<?= lang('Podcast.form.copyright') ?>"
+    label="<?= esc(lang('Podcast.form.copyright')) ?>"
    value="<?= esc($podcast->copyright) ?>" />

 </Forms.Section>
@ -167,7 +167,7 @@
    title="<?= lang('Podcast.form.fediverse_section_title') ?>" >

 <div class="flex flex-col">
-    <Forms.Label for="handle" hint="<?= lang('Podcast.form.handle_hint') ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
+    <Forms.Label for="handle" hint="<?= esc(lang('Podcast.form.handle_hint')) ?>"><?= lang('Podcast.form.handle') ?></Forms.Label>
    <div class="relative">
        <Icon glyph="at" class="absolute inset-0 h-full text-xl opacity-40 left-3" />
        <Forms.Input name="handle" value="<?= $podcast->handle ?>" class="w-full pl-8" required="true" readonly="true" />
@ -176,15 +176,15 @@

 <Forms.Field
    name="banner"
-    label="<?= lang('Podcast.form.banner') ?>"
-    helper="<?= lang('Podcast.form.banner_size_hint') ?>"
+    label="<?= esc(lang('Podcast.form.banner')) ?>"
+    helper="<?= esc(lang('Podcast.form.banner_size_hint')) ?>"
    type="file"
    accept=".jpg,.jpeg,.png" />

 </Forms.Section>

 <Forms.Section title="<?= lang('Podcast.form.premium') ?>">
-    <Forms.Toggler class="mt-2" name="premium_by_default" value="yes" checked="<?= $podcast->is_premium_by_default ? 'true' : 'false' ?>" hint="<?= lang('Podcast.form.premium_by_default_hint') ?>">
+    <Forms.Toggler class="mt-2" name="premium_by_default" value="yes" checked="<?= $podcast->is_premium_by_default ? 'true' : 'false' ?>" hint="<?= esc(lang('Podcast.form.premium_by_default_hint')) ?>">
        <?= lang('Podcast.form.premium_by_default') ?></Forms.Toggler>
 </Forms.Section>

@ -194,7 +194,7 @@

    <a href="https://op3.dev" target="_blank" rel="noopener noreferrer" class="inline-flex self-start text-xs font-semibold underline gap-x-1 text-skin-muted hover:no-underline focus:ring-accent"><Icon glyph="link" class="text-sm"/>op3.dev</a>
    <Forms.Toggler name="enable_op3" value="yes" checked="<?= service('settings')
-            ->get('Analytics.enableOP3', 'podcast:' . $podcast->id) ? 'true' : 'false' ?>" hint="<?= lang('Podcast.form.op3_enable_hint') ?>"><?= lang('Podcast.form.op3_enable') ?></Forms.Toggler>
+            ->get('Analytics.enableOP3', 'podcast:' . $podcast->id) ? 'true' : 'false' ?>" hint="<?= esc(lang('Podcast.form.op3_enable_hint')) ?>"><?= lang('Podcast.form.op3_enable') ?></Forms.Toggler>
 </Forms.Section>

 <Forms.Section
@ -203,9 +203,9 @@

 <Forms.Field
    name="location_name"
-    label="<?= lang('Podcast.form.location_name') ?>"
+    label="<?= esc(lang('Podcast.form.location_name')) ?>"
    value="<?= esc($podcast->location_name) ?>"
-    hint="<?= lang('Podcast.form.location_name_hint') ?>" />
+    hint="<?= esc(lang('Podcast.form.location_name_hint')) ?>" />

 </Forms.Section>

@ -216,22 +216,22 @@
 <Forms.Field
    as="XMLEditor"
    name="custom_rss"
-    label="<?= lang('Podcast.form.custom_rss') ?>"
-    hint="<?= lang('Podcast.form.custom_rss_hint') ?>"
+    label="<?= esc(lang('Podcast.form.custom_rss')) ?>"
+    hint="<?= esc(lang('Podcast.form.custom_rss_hint')) ?>"
    content="<?= esc($podcast->custom_rss_string) ?>" />

    <Forms.Field
    name="new_feed_url"
    type="url"
-    label="<?= lang('Podcast.form.new_feed_url') ?>"
-    hint="<?= lang('Podcast.form.new_feed_url_hint') ?>"
+    label="<?= esc(lang('Podcast.form.new_feed_url')) ?>"
+    hint="<?= esc(lang('Podcast.form.new_feed_url_hint')) ?>"
    value="<?= esc($podcast->new_feed_url) ?>"
    />

-    <Forms.Toggler class="mb-2" name="lock" value="yes" checked="<?= $podcast->is_locked ? 'true' : 'false' ?>" hint="<?= lang('Podcast.form.lock_hint') ?>">
+    <Forms.Toggler class="mb-2" name="lock" value="yes" checked="<?= $podcast->is_locked ? 'true' : 'false' ?>" hint="<?= esc(lang('Podcast.form.lock_hint')) ?>">
        <?= lang('Podcast.form.lock') ?>
    </Forms.Toggler>
-    <Forms.Toggler class="mb-2" name="block" value="yes" checked="<?= $podcast->is_blocked ? 'true' : 'false'  ?>" hint="<?= lang('Podcast.form.block_hint') ?>">
+    <Forms.Toggler class="mb-2" name="block" value="yes" checked="<?= $podcast->is_blocked ? 'true' : 'false'  ?>" hint="<?= esc(lang('Podcast.form.block_hint')) ?>">
        <?= lang('Podcast.form.block') ?>
    </Forms.Toggler>
    <Forms.Toggler name="complete" value="yes" checked="<?= $podcast->is_completed ? 'true' : 'false' ?>">
--- a/themes/cp_admin/podcast/monetization_other.php
+++ b/themes/cp_admin/podcast/monetization_other.php
@ -18,24 +18,24 @@

 <Forms.Field
    name="payment_pointer"
-    label="<?= lang('Podcast.form.payment_pointer') ?>"
+    label="<?= esc(lang('Podcast.form.payment_pointer')) ?>"
    value="<?= esc($podcast->payment_pointer) ?>"
-    hint="<?= lang('Podcast.form.payment_pointer_hint') ?>" />
+    hint="<?= esc(lang('Podcast.form.payment_pointer_hint')) ?>" />

 <fieldset class="flex flex-col items-start p-4 rounded bg-base">
    <Heading tagName="legend" class="float-left" size="small"><?= lang('Podcast.form.partnership') ?></Heading>
    <div class="flex flex-col w-full clear-left gap-x-2 gap-y-4 md:flex-row">
        <div class="flex flex-col flex-shrink w-32">
-            <Forms.Label for="partner_id" hint="<?= lang('Podcast.form.partner_id_hint') ?>" isOptional="true"><?= lang('Podcast.form.partner_id') ?></Forms.Label>
+            <Forms.Label for="partner_id" hint="<?= esc(lang('Podcast.form.partner_id_hint')) ?>" isOptional="true"><?= lang('Podcast.form.partner_id') ?></Forms.Label>
            <Forms.Input name="partner_id" value="<?= esc($podcast->partner_id) ?>" />
        </div>
        <div class="flex flex-col flex-1">
-            <Forms.Label for="partner_link_url" hint="<?= lang('Podcast.form.partner_link_url_hint') ?>" isOptional="true"><?= lang('Podcast.form.partner_link_url') ?></Forms.Label>
+            <Forms.Label for="partner_link_url" hint="<?= esc(lang('Podcast.form.partner_link_url_hint')) ?>" isOptional="true"><?= lang('Podcast.form.partner_link_url') ?></Forms.Label>
            <Forms.Input name="partner_link_url" value="<?= esc($podcast->partner_link_url) ?>" />
        </div>
    </div>
    <div class="flex flex-col w-full mt-2">
-        <Forms.Label for="partner_image_url" hint="<?= lang('Podcast.form.partner_image_url_hint') ?>" isOptional="true"><?= lang('Podcast.form.partner_image_url') ?></Forms.Label>
+        <Forms.Label for="partner_image_url" hint="<?= esc(lang('Podcast.form.partner_image_url_hint')) ?>" isOptional="true"><?= lang('Podcast.form.partner_image_url') ?></Forms.Label>
        <Forms.Input name="partner_image_url" value="<?= esc($podcast->partner_image_url) ?>" />
    </div>
 </fieldset>
--- a/themes/cp_admin/podcast/persons.php
+++ b/themes/cp_admin/podcast/persons.php
@ -26,8 +26,8 @@
        as="MultiSelect"
        id="persons"
        name="persons[]"
-        label="<?= lang('Person.podcast_form.persons') ?>"
-        hint="<?= lang('Person.podcast_form.persons_hint') ?>"
+        label="<?= esc(lang('Person.podcast_form.persons')) ?>"
+        hint="<?= esc(lang('Person.podcast_form.persons_hint')) ?>"
        options="<?= esc(json_encode($personOptions)) ?>"
        selected="<?= esc(json_encode(old('persons', []))) ?>"
        required="true" />
@ -36,8 +36,8 @@
        as="MultiSelect"
        id="roles"
        name="roles[]"
-        label="<?= lang('Person.podcast_form.roles') ?>"
-        hint="<?= lang('Person.podcast_form.roles_hint') ?>"
+        label="<?= esc(lang('Person.podcast_form.roles')) ?>"
+        hint="<?= esc(lang('Person.podcast_form.roles_hint')) ?>"
        options="<?= esc(json_encode($taxonomyOptions)) ?>"
        selected="<?= esc(json_encode(old('roles', []))) ?>"
    />
--- a/themes/cp_admin/podcast/platforms.php
+++ b/themes/cp_admin/podcast/platforms.php
@ -71,7 +71,7 @@
            </div>
            <fieldset>
                <Forms.Field
-                    label="<?= lang('Platforms.your_link') ?>"
+                    label="<?= esc(lang('Platforms.your_link')) ?>"
                    class="w-full mt-4"
                    id="<?= esc($platform->slug) . '_link_url' ?>"
                    name="<?= 'platforms[' . esc($platform->slug) . '][url]' ?>"
@ -79,7 +79,7 @@
                    type="url"
                    placeholder="https://…" />
                <Forms.Field
-                    label="<?= lang("Platforms.your_id.{$platform->type}") ?>"
+                    label="<?= esc(lang("Platforms.your_id.{$platform->type}")) ?>"
                    class="w-full mt-2"
                    id="<?= esc($platform->slug) . '_account_id' ?>"
                    name="<?= 'platforms[' . esc($platform->slug) . '][account_id]' ?>"
--- a/themes/cp_admin/podcast/publish.php
+++ b/themes/cp_admin/podcast/publish.php
@ -60,8 +60,8 @@
            <Forms.Field
                as="DatetimePicker"
                name="scheduled_publication_date"
-                label="<?= lang('Podcast.publish_form.scheduled_publication_date') ?>"
-                hint="<?= lang('Podcast.publish_form.scheduled_publication_date_hint') ?>"
+                label="<?= esc(lang('Podcast.publish_form.scheduled_publication_date')) ?>"
+                hint="<?= esc(lang('Podcast.publish_form.scheduled_publication_date_hint')) ?>"
                value="<?= $podcast->published_at ?>"
            />
        </div>
--- a/themes/cp_admin/podcast/publish_edit.php
+++ b/themes/cp_admin/podcast/publish_edit.php
@ -61,8 +61,8 @@
            <Forms.Field
                as="DatetimePicker"
                name="scheduled_publication_date"
-                label="<?= lang('Podcast.publish_form.scheduled_publication_date') ?>"
-                hint="<?= lang('Podcast.publish_form.scheduled_publication_date_hint') ?>"
+                label="<?= esc(lang('Podcast.publish_form.scheduled_publication_date')) ?>"
+                hint="<?= esc(lang('Podcast.publish_form.scheduled_publication_date_hint')) ?>"
                value="<?= $podcast->published_at ?>"
            />
        </div>
--- a/themes/cp_admin/settings/general.php
+++ b/themes/cp_admin/settings/general.php
@ -25,7 +25,7 @@ use Config\App;

    <Forms.Field
        name="site_name"
-        label="<?= lang('Settings.instance.site_name') ?>"
+        label="<?= esc(lang('Settings.instance.site_name')) ?>"
        value="<?= esc(service('settings')
    ->get('App.siteName')) ?>"
        required="true" />
@ -33,7 +33,7 @@ use Config\App;
    <Forms.Field
        as="Textarea"
        name="site_description"
-        label="<?= lang('Settings.instance.site_description') ?>"
+        label="<?= esc(lang('Settings.instance.site_description')) ?>"
        value="<?= esc(service('settings')
    ->get('App.siteDescription')) ?>"
        required="true"
@ -43,9 +43,9 @@ use Config\App;
        <Forms.Field
            name="site_icon"
            type="file"
-            label="<?= lang('Settings.instance.site_icon') ?>"
-            hint="<?= lang('Settings.instance.site_icon_hint') ?>"
-            helper="<?= lang('Settings.instance.site_icon_helper') ?>"
+            label="<?= esc(lang('Settings.instance.site_icon')) ?>"
+            hint="<?= esc(lang('Settings.instance.site_icon_hint')) ?>"
+            helper="<?= esc(lang('Settings.instance.site_icon_helper')) ?>"
            accept=".png,.jpeg,.jpg"
            class="flex-1"
            />
@ -83,9 +83,9 @@ use Config\App;
    title="<?= lang('Settings.housekeeping.title') ?>"
    subtitle="<?= lang('Settings.housekeeping.subtitle') ?>" >

-    <Forms.Toggler name="reset_counts" value="yes" size="small" checked="false" hint="<?= lang('Settings.housekeeping.reset_counts_helper') ?>"><?= lang('Settings.housekeeping.reset_counts') ?></Forms.Toggler>
-    <Forms.Toggler name="rename_episodes_files" value="yes" size="small" checked="false" hint="<?= lang('Settings.housekeeping.rename_episodes_files_hint') ?>"><?= lang('Settings.housekeeping.rename_episodes_files') ?></Forms.Toggler>
-    <Forms.Toggler name="clear_cache" value="yes" size="small" checked="false" hint="<?= lang('Settings.housekeeping.clear_cache_helper') ?>"><?= lang('Settings.housekeeping.clear_cache') ?></Forms.Toggler>
+    <Forms.Toggler name="reset_counts" value="yes" size="small" checked="false" hint="<?= esc(lang('Settings.housekeeping.reset_counts_helper')) ?>"><?= lang('Settings.housekeeping.reset_counts') ?></Forms.Toggler>
+    <Forms.Toggler name="rename_episodes_files" value="yes" size="small" checked="false" hint="<?= esc(lang('Settings.housekeeping.rename_episodes_files_hint')) ?>"><?= lang('Settings.housekeeping.rename_episodes_files') ?></Forms.Toggler>
+    <Forms.Toggler name="clear_cache" value="yes" size="small" checked="false" hint="<?= esc(lang('Settings.housekeeping.clear_cache_helper')) ?>"><?= lang('Settings.housekeeping.clear_cache') ?></Forms.Toggler>

    <Button variant="primary" type="submit" iconLeft="home-gear"><?= lang('Settings.housekeeping.run') ?></Button>

--- a/themes/cp_admin/subscription/create.php
+++ b/themes/cp_admin/subscription/create.php
@ -18,14 +18,14 @@
 <Forms.Field
    name="email"
    type="email"
-    label="<?= lang('Subscription.form.email') ?>"
+    label="<?= esc(lang('Subscription.form.email')) ?>"
    required="true" />

 <Forms.Field
    as="DatetimePicker"
    name="expiration_date"
-    label="<?= lang('Subscription.form.expiration_date') ?>"
-    hint="<?= lang('Subscription.form.expiration_date_hint') ?>"
+    label="<?= esc(lang('Subscription.form.expiration_date')) ?>"
+    hint="<?= esc(lang('Subscription.form.expiration_date_hint')) ?>"
 />

 <Button type="submit" class="self-end" variant="primary"><?= lang('Subscription.form.submit_create') ?></Button>
--- a/themes/cp_admin/subscription/edit.php
+++ b/themes/cp_admin/subscription/edit.php
@ -27,8 +27,8 @@
 <Forms.Field
    as="DatetimePicker"
    name="expiration_date"
-    label="<?= lang('Subscription.form.expiration_date') ?>"
-    hint="<?= lang('Subscription.form.expiration_date_hint') ?>"
+    label="<?= esc(lang('Subscription.form.expiration_date')) ?>"
+    hint="<?= esc(lang('Subscription.form.expiration_date_hint')) ?>"
    value="<?= $subscription->expires_at ?>"
 />

--- a/themes/cp_admin/subscription/list.php
+++ b/themes/cp_admin/subscription/list.php
@ -21,8 +21,8 @@
        class="w-full"
        type="url"
        name="subscription_link"
-        label="<?= lang('Subscription.form_link_add.link') ?>"
-        hint="<?= lang('Subscription.form_link_add.link_hint') ?>"
+        label="<?= esc(lang('Subscription.form_link_add.link')) ?>"
+        hint="<?= esc(lang('Subscription.form_link_add.link_hint')) ?>"
        placeholder="https://…"
        value="<?= service('settings')
        ->get('Subscription.link', 'podcast:' . $podcast->id) ?>" />
--- a/themes/cp_admin/subscription/suspend.php
+++ b/themes/cp_admin/subscription/suspend.php
@ -20,7 +20,7 @@
 <Forms.Field
    as="Textarea"
    name="reason"
-    label="<?= lang('Subscription.suspend_form.reason') ?>"
+    label="<?= esc(lang('Subscription.suspend_form.reason')) ?>"
    placeholder="<?= lang('Subscription.suspend_form.reason_placeholder') ?>"
    rows="4"
    class="mt-4"
--- a/themes/cp_admin/user/create.php
+++ b/themes/cp_admin/user/create.php
@ -16,19 +16,19 @@

 <Forms.Field
    name="username"
-    label="<?= lang('User.form.username') ?>"
+    label="<?= esc(lang('User.form.username')) ?>"
    required="true" />

 <Forms.Field
    name="email"
    type="email"
-    label="<?= lang('User.form.email') ?>"
+    label="<?= esc(lang('User.form.email')) ?>"
    required="true" />

 <Forms.Field
    as="Select"
    name="role"
-    label="<?= lang('User.form.role') ?>"
+    label="<?= esc(lang('User.form.role')) ?>"
    options="<?= esc(json_encode($roleOptions)) ?>"
    selected="<?= setting('AuthGroups.defaultGroup') ?>"
    required="true" />
--- a/themes/cp_admin/user/edit.php
+++ b/themes/cp_admin/user/edit.php
@ -21,7 +21,7 @@
 <Forms.Field
    as="Select"
    name="role"
-    label="<?= lang('User.form.role') ?>"
+    label="<?= esc(lang('User.form.role')) ?>"
    options="<?= esc(json_encode($roleOptions)) ?>"
    selected="<?= esc(get_instance_group($user)) ?>"
    required="true" />
--- a/themes/cp_app/podcast/follow.php
+++ b/themes/cp_app/podcast/follow.php
@ -56,8 +56,8 @@

            <Forms.Field
                name="handle"
-                label="<?= lang('Fediverse.your_handle') ?>"
-                hint="<?= lang('Fediverse.your_handle_hint') ?>"
+                label="<?= esc(lang('Fediverse.your_handle')) ?>"
+                hint="<?= esc(lang('Fediverse.your_handle_hint')) ?>"
                required="true"
            />
            <Button variant="primary" type="submit" class="self-end" iconRight="send-plane"><?= lang('Fediverse.follow.submit') ?></Button>
--- a/themes/cp_app/podcast/unlock.php
+++ b/themes/cp_app/podcast/unlock.php
@ -50,7 +50,7 @@
                class="self-stretch mt-4 text-left"
                name="token"
                type="password"
-                label="<?= lang('PremiumPodcasts.unlock_form.token') ?>"
+                label="<?= esc(lang('PremiumPodcasts.unlock_form.token')) ?>"
                hint="<?= lang('PremiumPodcasts.unlock_form.token_hint', [
                    'podcastTitle' => esc($podcast->title),
                ]) ?>"
--- a/themes/cp_app/post/remote_action.php
+++ b/themes/cp_app/post/remote_action.php
@ -48,8 +48,8 @@

            <Forms.Field
                name="handle"
-                label="<?= lang('Fediverse.your_handle') ?>"
-                hint="<?= lang('Fediverse.your_handle_hint') ?>"
+                label="<?= esc(lang('Fediverse.your_handle')) ?>"
+                hint="<?= esc(lang('Fediverse.your_handle_hint')) ?>"
                required="true" />

            <Button variant="primary" type="submit" class="self-end" iconRight="send-plane"><?= lang('Fediverse.' . $action . '.submit') ?></Button>
--- a/themes/cp_auth/email_2fa_show.php
+++ b/themes/cp_auth/email_2fa_show.php
@ -16,8 +16,8 @@ use Modules\Auth\Config\Auth;

    <Forms.Field
        name="email"
-        label="<?= lang('Auth.email') ?>"
-        helper="<?= lang('Auth.confirmEmailAddress') ?>"
+        label="<?= esc(lang('Auth.email')) ?>"
+        helper="<?= esc(lang('Auth.confirmEmailAddress')) ?>"
        required="true"
        type="email"
        inputmode="email"
--- a/themes/cp_auth/email_2fa_verify.php
+++ b/themes/cp_auth/email_2fa_verify.php
@ -15,8 +15,8 @@ use Modules\Auth\Config\Auth;

    <Forms.Field
        name="token"
-        label="<?= lang('Auth.code') ?>"
-        helper="<?= lang('Auth.emailConfirmCode') ?>"
+        label="<?= esc(lang('Auth.code')) ?>"
+        helper="<?= esc(lang('Auth.emailConfirmCode')) ?>"
        pattern="[0-9]*"
        placeholder="000000"
        required="true"
--- a/themes/cp_auth/email_activate_show.php
+++ b/themes/cp_auth/email_activate_show.php
@ -18,7 +18,7 @@ use Modules\Auth\Config\Auth;
    <!-- Code -->
    <Forms.Field
        name="token"
-        label="<?= lang('Auth.token') ?>"
+        label="<?= esc(lang('Auth.token')) ?>"
        required="true"
        inputmode="numeric"
        pattern="[0-9]*"
--- a/themes/cp_auth/login.php
+++ b/themes/cp_auth/login.php
@ -16,7 +16,7 @@ use Modules\Auth\Config\Auth;

    <Forms.Field
        name="email"
-        label="<?= lang('Auth.email') ?>"
+        label="<?= esc(lang('Auth.email')) ?>"
        required="true"
        type="email"
        inputmode="email"
@ -26,7 +26,7 @@ use Modules\Auth\Config\Auth;

    <Forms.Field
        name="password"
-        label="<?= lang('Auth.password') ?>"
+        label="<?= esc(lang('Auth.password')) ?>"
        type="password"
        inputmode="text"
        autocomplete="current-password"
--- a/themes/cp_auth/magic_link_form.php
+++ b/themes/cp_auth/magic_link_form.php
@ -15,7 +15,7 @@ use Modules\Auth\Config\Auth;

    <Forms.Field
        name="email"
-        label="<?= lang('Auth.email') ?>"
+        label="<?= esc(lang('Auth.email')) ?>"
        required="true"
        inputmode="email"
        autocomplete="email"
--- a/themes/cp_auth/magic_link_set_password.php
+++ b/themes/cp_auth/magic_link_set_password.php
@ -18,7 +18,7 @@ use Modules\Auth\Config\Auth;

 <Forms.Field
    name="new_password"
-    label="<?= lang('Auth.password') ?>"
+    label="<?= esc(lang('Auth.password')) ?>"
    type="password"
    required="true"
    inputmode="text"
--- a/themes/cp_auth/register.php
+++ b/themes/cp_auth/register.php
@ -18,14 +18,14 @@ use Modules\Auth\Config\Auth;

 <Forms.Field
    name="username"
-    label="<?= lang('Auth.username') ?>"
+    label="<?= esc(lang('Auth.username')) ?>"
    autocomplete="username"
    inputmode="text"
    required="true" />

 <Forms.Field
    name="email"
-    label="<?= lang('Auth.email') ?>"
+    label="<?= esc(lang('Auth.email')) ?>"
    type="email"
    inputmode="email"
    autocomplete="email"
@ -33,7 +33,7 @@ use Modules\Auth\Config\Auth;

 <Forms.Field
    name="password"
-    label="<?= lang('Auth.password') ?>"
+    label="<?= esc(lang('Auth.password')) ?>"
    type="password"
    required="true"
    inputmode="text"
@ -41,7 +41,7 @@ use Modules\Auth\Config\Auth;

 <Forms.Field
    name="password_confirm"
-    label="<?= lang('Auth.passwordConfirm') ?>"
+    label="<?= esc(lang('Auth.passwordConfirm')) ?>"
    type="password"
    required="true"
    inputmode="text"
--- a/themes/cp_install/cache_config.php
+++ b/themes/cp_install/cache_config.php
@ -19,7 +19,7 @@
 <Forms.Field
    as="Select"
    name="cache_handler"
-    label="<?= lang('Install.form.cache_handler') ?>"
+    label="<?= esc(lang('Install.form.cache_handler')) ?>"
    options="<?= esc(json_encode([
            'file'   => lang('Install.form.cacheHandlerOptions.file'),
            'redis'  => lang('Install.form.cacheHandlerOptions.redis'),
--- a/themes/cp_install/create_superadmin.php
+++ b/themes/cp_install/create_superadmin.php
@ -12,19 +12,19 @@

 <Forms.Field
    name="username"
-    label="<?= lang('Install.form.username') ?>"
+    label="<?= esc(lang('Install.form.username')) ?>"
    required="true" />

 <Forms.Field
    name="email"
-    label="<?= lang('Install.form.email') ?>"
+    label="<?= esc(lang('Install.form.email')) ?>"
    type="email"
    autocomplete="username"
    required="true" />

 <Forms.Field
    name="password"
-    label="<?= lang('Install.form.password') ?>"
+    label="<?= esc(lang('Install.form.password')) ?>"
    type="password"
    required="true"
    autocomplete="new-password" />
--- a/themes/cp_install/database_config.php
+++ b/themes/cp_install/database_config.php
@ -25,27 +25,27 @@ use Config\Database;

 <Forms.Field
    name="db_hostname"
-    label="<?= lang('Install.form.db_hostname') ?>"
+    label="<?= esc(lang('Install.form.db_hostname')) ?>"
    value="<?= config(Database::class)->default['hostname'] ?>"
    required="true"
 />

 <Forms.Field
    name="db_name"
-    label="<?= lang('Install.form.db_name') ?>"
+    label="<?= esc(lang('Install.form.db_name')) ?>"
    value="<?= config(Database::class)->default['database'] ?>"
    required="true" />

 <Forms.Field
    name="db_username"
-    label="<?= lang('Install.form.db_username') ?>"
+    label="<?= esc(lang('Install.form.db_username')) ?>"
    value="<?= config(Database::class)->default['username'] ?>"
    required="true"
    autocomplete="off" />

 <Forms.Field
    name="db_password"
-    label="<?= lang('Install.form.db_password') ?>"
+    label="<?= esc(lang('Install.form.db_password')) ?>"
    value="<?= config(Database::class)->default['password'] ?>"
    type="password"
    required="true"
@ -53,8 +53,8 @@ use Config\Database;

 <Forms.Field
    name="db_prefix"
-    label="<?= lang('Install.form.db_prefix') ?>"
-    hint="<?= lang('Install.form.db_prefix_hint') ?>"
+    label="<?= esc(lang('Install.form.db_prefix')) ?>"
+    hint="<?= esc(lang('Install.form.db_prefix_hint')) ?>"
    value="<?= config(Database::class)->default['DBPrefix'] ?>" />

 <Button variant="primary" type="submit" class="self-end" iconRight="arrow-right"><?= lang('Install.form.next') ?></Button>
--- a/themes/cp_install/instance_config.php
+++ b/themes/cp_install/instance_config.php
@ -20,26 +20,26 @@ use Modules\Install\Config\Install;

 <Forms.Field
    name="hostname"
-    label="<?= lang('Install.form.hostname') ?>"
+    label="<?= esc(lang('Install.form.hostname')) ?>"
    value="<?= host_url() === null ? config(App::class)->baseURL : host_url() ?>"
    required="true" />

 <Forms.Field
    name="media_base_url"
-    label="<?= lang('Install.form.media_base_url') ?>"
-    hint="<?= lang('Install.form.media_base_url_hint') ?>" />
+    label="<?= esc(lang('Install.form.media_base_url')) ?>"
+    hint="<?= esc(lang('Install.form.media_base_url_hint')) ?>" />

 <Forms.Field
    name="admin_gateway"
-    label="<?= lang('Install.form.admin_gateway') ?>"
-    hint="<?= lang('Install.form.admin_gateway_hint') ?>"
+    label="<?= esc(lang('Install.form.admin_gateway')) ?>"
+    hint="<?= esc(lang('Install.form.admin_gateway_hint')) ?>"
    value="<?= config(Admin::class)->gateway ?>"
    required="true" />

 <Forms.Field
    name="auth_gateway"
-    label="<?= lang('Install.form.auth_gateway') ?>"
-    hint="<?= lang('Install.form.auth_gateway_hint') ?>"
+    label="<?= esc(lang('Install.form.auth_gateway')) ?>"
+    hint="<?= esc(lang('Install.form.auth_gateway_hint')) ?>"
    value="<?= config(Auth::class)->gateway ?>"
    required="true" />