wwbn/avideo Meet plugin Stored XSS via User-Agent header

Stored XSS vulnerability in Meet plugin: raw HTTP User-Agent header is stored and later rendered without output encoding in the participant management panel, allowing unauthenticated attackers to execute arbitrary JavaScript in the browser of meeting hosts or site administrators.

All instances of WWBN/AVideo using the Meet plugin, especially those with public meetings. Attackers can join any public meeting with a malicious User-Agent header; the payload executes when a host or admin views the participant list.

Apply the suggested fix: encode the user_agent value with htmlspecialchars() in plugin/Meet/getMeetInfo.json.php:71, and consider sanitizing on write in Meet_join_log::setUser_agent().