From 39d975a279dc954491f7286f91286d91423a6f76 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Wed, 4 Oct 2023 12:27:45 -0600
Subject: [PATCH] Add allowed API commands regex and sofia_contact

---
 app/destinations/destination_edit.php | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/destinations/destination_edit.php b/app/destinations/destination_edit.php
index d0a6c75687..61a4097acf 100644
--- a/app/destinations/destination_edit.php
+++ b/app/destinations/destination_edit.php
@@ -537,7 +537,24 @@
 								$action_array = explode(":", $destination_action, 2);
 								if (isset($action_array[0]) && !empty($action_array[0])) {
 									if ($destination->valid($action_array[0].':'.$action_array[1])) {
-										$dialplan["dialplan_xml"] .= "		<action application=\"".xml::sanitize($action_array[0])."\" data=\"".xml::sanitize($action_array[1])."\"/>\n";
+										//set variables from the action array
+										$action_app = $action_array[0];
+										$action_data = $action_array[1];
+
+										//allow specific api commands
+										$allowed_commands = array();
+										$allowed_commands[] = "regex";
+										$allowed_commands[] = "sofia_contact";
+										foreach ($allowed_commands as $allowed_command) {
+											$action_data = str_replace('${'.$allowed_command, '#{'.$allowed_command, $action_data);
+										}
+										$action_data = xml::sanitize($action_data);
+										foreach ($allowed_commands as $allowed_command) {
+											$action_data = str_replace('#{'.$allowed_command, '${'.$allowed_command, $action_data);
+										}
+
+										//add the action to the dialplan xml
+										$dialplan["dialplan_xml"] .= "		<action application=\"".xml::sanitize($action_app)."\" data=\"".$action_data."\"/>\n";
 									}
 								}
 							}