* Console:

- Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
  - Add Content-Security-Policy and X-XSS-Protection headers
  - Disable changing news feed URL from UI
  - Disable plugin install from UI
  - Disable setting unsigned update URL from UI
  - Disable /configadvanced
* DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit)
* ExecNamingService: Disable (thx joernchen of Phenoelit)
* Startup: Add susimail.config to migrated files

apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

@@ -159,6 +159,8 @@ public class I2PSnarkServlet extends BasicServlet {
         // this is the part after /i2psnark
         String path = req.getServletPath();
         resp.setHeader("X-Frame-Options", "SAMEORIGIN");
+        resp.setHeader("Content-Security-Policy", "default-src 'self'");
+        resp.setHeader("X-XSS-Protection", "1; mode=block");
 
         String peerParam = req.getParameter("p");
         String stParam = req.getParameter("st");
@@ -167,9 +169,10 @@ public class I2PSnarkServlet extends BasicServlet {
             peerParam.replaceAll("[a-zA-Z0-9~=-]", "").length() > 0) {  // XSS
             peerString = "";
         } else {
-            peerString = "?p=" + peerParam;
+            peerString = "?p=" + DataHelper.stripHTML(peerParam);
         }
         if (stParam != null && !stParam.equals("0")) {
+            stParam = DataHelper.stripHTML(stParam);
             if (peerString.length() > 0)
                 peerString += "&st=" + stParam;
             else