Security: username url xss (#7244)

# Description & Issue number it closes 
<!-- Please include a summary of the changes and the related issue.
Please also include relevant motivation and context. -->

## Screenshots (if appropriate)
<!-- Before and after --> 

## How to test the changes?

see [Reflected XSS the login page through the 'username'
parameter..pdf](https://github.com/user-attachments/files/18635162/Reflected.XSS.the.login.page.through.the.username.parameter.pdf)
m modules

and get an alert, after the fix it is just added to the username 

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] This change requires a documentation update

# How Has This Been Tested?

<!-- Please describe the tests that you ran to verify your changes.
Provide instructions so we can reproduce. Please also list any relevant
details for your test configuration -->

# Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream

src/ChurchCRM/utils/InputUtils.php

@@ -43,6 +43,11 @@ public static function filterString($sInput): string
         return strip_tags(trim($sInput));
     }
 
+    public static function filterSanitizeString($sInput): string
+    {
+        return filter_var(trim($sInput), FILTER_SANITIZE_SPECIAL_CHARS);
+    }
+
     public static function filterHTML($sInput): string
     {
         return strip_tags(trim($sInput), self::$AllowedHTMLTags);

src/session/index.php

@@ -7,6 +7,7 @@
 use ChurchCRM\Authentication\Requests\LocalUsernamePasswordRequest;
 use ChurchCRM\dto\SystemURLs;
 use ChurchCRM\Slim\Middleware\VersionMiddleware;
+use ChurchCRM\Utils\InputUtils;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Slim\Factory\AppFactory;
@@ -80,8 +81,8 @@ function beginSession(Request $request, Response $response, array $args): Respon
     $renderer = new PhpRenderer('templates/');
 
     // Determine if appropriate to pre-fill the username field
-    $pageArgs['prefilledUserName'] = $request->getQueryParams()['username'] ??
-        $request->getServerParams()['username'] ??
+    $pageArgs['prefilledUserName'] = InputUtils::filterSanitizeString($request->getQueryParams()['username']) ??
+    InputUtils::filterSanitizeString($request->getServerParams()['username']) ??
         '';
 
     return $renderer->render($response, 'begin-session.php', $pageArgs);