Cross Site Script (XSS) attack on at least the `header` url param

[elongstreet88]

You can execute a xss using at least the header url param (didnt check others, but assume the same for anything page rendering).

Ex: http://localhost:2222/ssh/host/mydevice.local?header=<img src=x onerror=alert('XSS')>

Output:

The params would need to be sanitized properly to avoid rendering on the page.