wp-ffpc v 1.10.1 security vulnerable; form fields are not escaped

[diablodale]

Throughout the code for wp-ffpc v 1.10.1, the code does not escape html and its values before/after processing by the form page. Therefore, it is possible for:

1. a malicious string of html to be put in the config (using the form, direct to db, or direct to config file)
2. that string is read and rendered to the wp-ffpc forms page as a concatenated string value (e.g. the nocache_cookies string value is between two double quotes on an input field)
3. the malicious string could have its own double quote + a string of html causing XSS problems, automation to destroy the site, or any number of other hostile actions.

All input which is taken from users/admins and later rendered down to a browser needs to be evaluated for security holes like this. An example of this in wp-ffpc-class.php:

value="<?php echo $this->options['nocache_cookies']; ?>"
   should be instead
value="<?php echo htmlspecialchars($this->options['nocache_cookies']); ?>"