sanitize outputs

stats/index.php

@@ -11,16 +11,16 @@ include __DIR__."/../header.php";
     <?php foreach($members as $member) {
         $chans = explode(", ", $member->channel); ?>
         <div class="btn-group">
-            <a class="btn btn-default" href="<?=$member->link?>"><?=$member->name?></a>
+            <a class="btn btn-default" href="<?=$member->htmlspecialchars(link)?>"><?=htmlspecialchars($member->name)?></a>
             <?php foreach ($chans as $chan) { ?>
-                <a class="btn btn-primary" href="https://tilde.chat/kiwi/<?=$chan?>"><?=$chan?></a>
+                <a class="btn btn-primary" href="https://tilde.chat/kiwi/<?=htmlspecialchars($chan)?>"><?=htmlspecialchars($chan)?></a>
             <?php } ?>
         </div>
     <?php } ?>
 
 	<hr>
     <h3>full channel stats</h3>
-	<p>there are <?=$stats->usercount?> users across <?=$stats->channelcount?> channels.</p>
+	<p>there are <?=htmlspecialchars($stats->usercount)?> users across <?=htmlspecialchars($stats->channelcount)?> channels.</p>
 	<p>if the channel is set with <a href="https://docs.inspircd.org/3/modes/#channel-modes">chanmode +s</a> it will be omitted from this list.</p>
     <p>the table is sortable by clicking on the column headers</p>
 
@@ -37,9 +37,9 @@ include __DIR__."/../header.php";
 			<tbody data-link="row" class="rowlink">
 				<?php foreach($stats->channels as $channel): ?>
 					<tr>
-						<td><a href="<?=$channel->webchatlink?>"><?=$channel->name?></a></td>
-						<td><?=$channel->usercount?></td>
-						<td style="word-wrap: break-word; white-space: pre-wrap; max-width:700px"><?=$channel->topic?></td>
+						<td><a href="<?=$channel->webchatlink?>"><?=htmlspecialchars($channel->name)?></a></td>
+						<td><?=htmlspecialchars($channel->usercount)?></td>
+						<td style="word-wrap: break-word; white-space: pre-wrap; max-width:700px"><?=htmlspecialchars($channel->topic)?></td>
 					</tr>
 				<?php endforeach; ?>
 			</tbody>