From 5d5219af613f254ddd5343adf2748e68b5a8c85c Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Sat, 30 Jun 2018 11:36:05 -0600
Subject: [PATCH] Update conference_room_edit.php

---
 .../conference_room_edit.php                  | 46 +++++++++----------
 1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/app/conference_centers/conference_room_edit.php b/app/conference_centers/conference_room_edit.php
index 8b62f4e042..2dff725f8f 100644
--- a/app/conference_centers/conference_room_edit.php
+++ b/app/conference_centers/conference_room_edit.php
@@ -172,7 +172,7 @@
 		}
 
 		messages::add($text['message-delete']);
-		header("Location: conference_room_edit.php?id=".$conference_room_uuid);
+		header("Location: conference_room_edit.php?id=".escape($conference_room_uuid));
 		return;
 	}
 
@@ -453,7 +453,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 					messages::add($text['message-add']);
 				}
 
-			header("Location: conference_room_edit.php?id=".$conference_room_uuid);
+			header("Location: conference_room_edit.php?id=".escape($conference_room_uuid));
 			return;
 
 		} //if ($_POST["persistformvar"] != "true")
@@ -553,8 +553,8 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<td width='70%' align='right' valign='top'>\n";
 	echo "	<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='conference_rooms.php'\" value='".$text['button-back']."'>\n";
 	if (strlen($meeting_uuid) > 0) {
-		echo "	<input type='button' class='btn' name='' alt='".$text['button-sessions']."' onclick=\"window.location='conference_sessions.php?id=".$meeting_uuid."'\" value='".$text['button-sessions']."'>\n";
-		echo "	<input type='button' class='btn' name='' alt='".$text['button-view']."' onclick=\"window.location='".PROJECT_PATH."/app/conferences_active/conference_interactive.php?c=".$meeting_uuid."'\" value='".$text['button-view']."'>\n";
+		echo "	<input type='button' class='btn' name='' alt='".$text['button-sessions']."' onclick=\"window.location='conference_sessions.php?id=".escape($meeting_uuid)."'\" value='".$text['button-sessions']."'>\n";
+		echo "	<input type='button' class='btn' name='' alt='".$text['button-view']."' onclick=\"window.location='".PROJECT_PATH."/app/conferences_active/conference_interactive.php?c=".escape($meeting_uuid)."'\" value='".$text['button-view']."'>\n";
 	}
 	echo "	<input type='submit' name='submit' class='btn' value='".$text['button-save']."'>\n";
 	echo "<br />\n";
@@ -568,10 +568,10 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	<select class='formfld' name='conference_center_uuid'>\n";
 	foreach ($conference_centers as &$row) {
 		if ($conference_center_uuid == $row["conference_center_uuid"]) {
-			echo "		<option value='".$row["conference_center_uuid"]."' selected='selected'>".$row["conference_center_name"]."</option>\n";
+			echo "		<option value='".escape($row["conference_center_uuid"])."' selected='selected'>".escape($row["conference_center_name"])."</option>\n";
 		}
 		else {
-			echo "		<option value='".$row["conference_center_uuid"]."'>".$row["conference_center_name"]."</option>\n";
+			echo "		<option value='".escape($row["conference_center_uuid"])."'>".escape($row["conference_center_name"])."</option>\n";
 		}
 	}
 	unset ($prep_statement);
@@ -584,7 +584,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	<tr>";
 	echo "		<td class='vncell' valign='top'>".$text['label-room-name']."</td>";
 	echo "		<td class='vtable' align='left'>";
-	echo "  		<input class='formfld' type='text' name='conference_room_name' maxlength='255' value='$conference_room_name'>\n";
+	echo "  		<input class='formfld' type='text' name='conference_room_name' maxlength='255' value='".escape($conference_room_name)."'>\n";
 	echo "			<br />\n";
 	echo "			".$text['description-room-name']."\n";
 	echo "		</td>";
@@ -593,7 +593,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	<tr>";
 	echo "		<td class='vncell' valign='top'>".$text['label-moderator-pin']."</td>";
 	echo "		<td class='vtable' align='left'>";
-	echo "  		<input class='formfld' type='text' name='moderator_pin' maxlength='255' value='$moderator_pin'>\n";
+	echo "  		<input class='formfld' type='text' name='moderator_pin' maxlength='255' value='".escape($moderator_pin)."'>\n";
 	echo "			<br />\n";
 	echo "			".$text['description-moderator_pin']."\n";
 	echo "		</td>";
@@ -602,7 +602,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	<tr>";
 	echo "		<td class='vncell' valign='top'>".$text['label-participant-pin']."</td>";
 	echo "		<td class='vtable' align='left'>";
-	echo "  		<input class='formfld' type='text' name='participant_pin' maxlength='255' value='$participant_pin'>\n";
+	echo "  		<input class='formfld' type='text' name='participant_pin' maxlength='255' value='".escape($participant_pin)."'>\n";
 	echo "			<br />\n";
 	echo "			".$text['description-participant-pin']."\n";
 	echo "		</td>";
@@ -616,10 +616,10 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 			echo "			<table border='0' style='width : 235px;'>\n";
 			foreach($meeting_users as $field) {
 				echo "			<tr>\n";
-				echo "				<td class='vtable'>".$field['username']."</td>\n";
+				echo "				<td class='vtable'>".escape($field['username'])."</td>\n";
 				echo "				<td style='width: 25px;' align='right'>\n";
 				if (permission_exists('conference_room_delete')) {
-					echo "					<a href='conference_room_edit.php?meeting_user_uuid=".$field['meeting_user_uuid']."&conference_room_uuid=".$conference_room_uuid."&a=delete' alt='delete' onclick=\"return confirm(".$text['confirm-delete'].")\">$v_link_label_delete</a>\n";
+					echo "					<a href='conference_room_edit.php?meeting_user_uuid=".escape($field['meeting_user_uuid'])."&conference_room_uuid=".escape($conference_room_uuid)."&a=delete' alt='delete' onclick=\"return confirm(".$text['confirm-delete'].")\">$v_link_label_delete</a>\n";
 				}
 				echo "				</td>\n";
 				echo "			</tr>\n";
@@ -631,7 +631,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 			echo "			<select name=\"user_uuid\" class='formfld' style='width: auto;'>\n";
 			echo "			<option value=\"\"></option>\n";
 			foreach($users as $field) {
-				echo "			<option value='".$field['user_uuid']."'>".$field['username']."</option>\n";
+				echo "			<option value='".escape($field['user_uuid'])."'>".escape($field['username'])."</option>\n";
 			}
 			echo "			</select>";
 			if ($action == "update") {
@@ -652,10 +652,10 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 		echo "	<select class='formfld' name='profile'>\n";
 		foreach ($conference_profiles as $row) {
 			if ($profile === $row['profile_name']) {
-					echo "	<option value='". $row['profile_name'] ."' selected='selected'>". $row['profile_name'] ."</option>\n";
+					echo "	<option value='". escape($row['profile_name']) ."' selected='selected'>". escape($row['profile_name']) ."</option>\n";
 			}
 			else {
-					echo "	<option value='". $row['profile_name'] ."'>". $row['profile_name'] ."</option>\n";
+					echo "	<option value='". escape($row['profile_name']) ."'>". escape($row['profile_name']) ."</option>\n";
 			}
 		}
 		echo "	</select>\n";
@@ -693,7 +693,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 		echo "<tr>\n";
 		echo "<td class='vncell' valign='top' align='left' nowrap='nowrap'>".$text['label-max-members']."</td>\n";
 		echo "<td class='vtable' align='left'>\n";
-		echo "  <input class='formfld' type='text' name='max_members' maxlength='255' value='$max_members'>\n";
+		echo "  <input class='formfld' type='text' name='max_members' maxlength='255' value='".escape($max_members)."'>\n";
 		echo "<br />\n";
 		echo "\n";
 		echo "</td>\n";
@@ -703,8 +703,8 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<tr>\n";
 	echo "<td class='vncell' valign='top' nowrap='nowrap' width='30%'>".$text['label-schedule']."</td>\n";
 	echo "<td class='vtable' width='70%' align='left' style='position: relative; min-width: 275px;'>\n";
-	echo "		<input type='text' class='formfld datetimepicker' style='min-width: 115px; width: 115px; max-width: 115px;' name='start_datetime' id='start_datetime' placeholder='".$text['label-from']."' value='".$start_datetime."'>\n";
-	echo "		<input type='text' class='formfld datetimepicker' style='min-width: 115px; width: 115px; max-width: 115px;' name='stop_datetime' id='stop_datetime' placeholder='".$text['label-to']."' value='".$stop_datetime."'>\n";
+	echo "		<input type='text' class='formfld datetimepicker' style='min-width: 115px; width: 115px; max-width: 115px;' name='start_datetime' id='start_datetime' placeholder='".$text['label-from']."' value='".escape($start_datetime)."'>\n";
+	echo "		<input type='text' class='formfld datetimepicker' style='min-width: 115px; width: 115px; max-width: 115px;' name='stop_datetime' id='stop_datetime' placeholder='".$text['label-to']."' value='".escape($stop_datetime)."'>\n";
 	echo "	<br>".$text['description-schedule'];
 	echo "</td>\n";
 	echo "</tr>\n";
@@ -762,7 +762,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	//echo "	".$text['label-enter-sound']."\n";
 	//echo "</td>\n";
 	//echo "<td class='vtable' align='left'>\n";
-	//echo "	<input class='formfld' type='text' name='enter_sound' maxlength='255' value=\"$enter_sound\">\n";
+	//echo "	<input class='formfld' type='text' name='enter_sound' maxlength='255' value=\"".escape($enter_sound)."\">\n";
 	//echo "<br />\n";
 	//echo "\n";
 	//echo "</td>\n";
@@ -846,7 +846,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<tr>\n";
 	echo "<td class='vncell' valign='top' align='left' nowrap='nowrap'>".$text['label-description']."</td>\n";
 	echo "<td class='vtable' align='left'>\n";
-	echo "	<input class='formfld' type='text' name='description' maxlength='255' value=\"$description\">\n";
+	echo "	<input class='formfld' type='text' name='description' maxlength='255' value=\"".escape($description)."\">\n";
 	echo "<br />\n";
 	echo "\n";
 	echo "</td>\n";
@@ -856,9 +856,9 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	<td colspan='2' align='right'>\n";
 	echo "		<br>";
 	if ($action == "update") {
-		echo "	<input type='hidden' name='conference_center_uuid' value='$conference_center_uuid'>\n";
-		echo "	<input type='hidden' name='meeting_uuid' value='$meeting_uuid'>\n";
-		echo "	<input type='hidden' name='conference_room_uuid' value='$conference_room_uuid'>\n";
+		echo "	<input type='hidden' name='conference_center_uuid' value='".escape($conference_center_uuid)."'>\n";
+		echo "	<input type='hidden' name='meeting_uuid' value='".escape($meeting_uuid)."'>\n";
+		echo "	<input type='hidden' name='conference_room_uuid' value='".escape($conference_room_uuid)."'>\n";
 	}
 	echo "		<input type='submit' name='submit' class='btn' value='".$text['button-save']."'>\n";
 	echo "	</td>\n";
@@ -869,7 +869,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 
 	echo "</form>";
 
-
 //include the footer
 	require_once "resources/footer.php";
+
 ?>

".$field['username']."	".escape($field['username'])."	\n"; if (permission_exists('conference_room_delete')) { - echo " $v_link_label_delete\n"; + echo " $v_link_label_delete\n"; } echo "
".$text['label-max-members']."	\n"; - echo " \n"; + echo " \n"; echo " \n"; echo "\n"; echo "
".$text['label-schedule']."	\n"; - echo " \n"; - echo " \n"; + echo " \n"; + echo " \n"; echo " ".$text['description-schedule']; echo "
\n"; - //echo " \n"; + //echo " \n"; //echo " \n"; //echo "\n"; //echo "
".$text['label-description']."	\n"; - echo " \n"; + echo " \n"; echo " \n"; echo "\n"; echo "	\n"; echo " "; if ($action == "update") { - echo " \n"; - echo " \n"; - echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; } echo " \n"; echo "