Merge feature branch. Fixes #210 & #217. Thanks @D9ping

includes/webconsole.php

@@ -1,4 +1,14 @@
 <?php
+require_once 'config.php';
+require_once RASPI_CONFIG.'/raspap.php';
+
+session_start();
+header('X-Frame-Options: SAMEORIGIN');
+header("Content-Security-Policy: default-src 'none'; frame-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+
+require_once 'authenticate.php';
+
+
 // Web Console v0.9.7 (2016-11-05)
 //
 // Author: Nickolay Kovalev (http://nickola.ru)

index.php

@@ -51,10 +51,10 @@ if(!isset($_COOKIE['theme'])) {
 } else {
     $theme = $_COOKIE['theme'];
 }
-$theme_url = 'dist/css/' . $theme;
-?>
 
-<!DOCTYPE html>
+$theme_url = 'dist/css/'.htmlspecialchars($theme, ENT_QUOTES);
+
+?><!DOCTYPE html>
 <html lang="en">
   <head>
     <meta charset="utf-8">