Cross Site Scripting Vulnerability on "Name" via "Application Entities" feature in Rukovoditel v2.7.2
**Describe the bug
An authenticated malicious user can take advantage of a Stored XSS vulnerability on "Name" via "Application Entities" feature in Rukovoditel v2.7.2
**To Reproduce
Steps to reproduce the behavior:
1. Log into the panel.
2. Go to "/index.php?module=entities/entities"
3. Select "Add New Entity"
4. Insert Payload in "Name":
// # "><svg/onload=prompt(/TuongNC/)>
"><svg/onload=alert(document.domain)>
"><img src onerror=alert("TuongNC")>
5. Click "Save"
6. View the List module to such Stored XSS.
**Expected behavior
You must HTML Entity encode any output that is Stored back to the page.
**Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
**Screenshots
https://i.imgur.com/fircXPX.png
https://i.imgur.com/Mx40jx2.png
**Desktop (please complete the following information):
- OS: Windows
- Browser: Google Chrome
- Version: 87.0.4280.88
