From 88b34831e4660baa9b88497285aae0d72da48d7a Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Fri, 8 Jul 2022 18:28:08 -0600
Subject: [PATCH] Sanitize the menu link by restricting it to specific
 characters.

---
 core/menu/menu_item_edit.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/menu/menu_item_edit.php b/core/menu/menu_item_edit.php
index b13bbaa0c3..f1db4e07fc 100644
--- a/core/menu/menu_item_edit.php
+++ b/core/menu/menu_item_edit.php
@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2019
+	Portions created by the Initial Developer are Copyright (C) 2008-2022
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -87,6 +87,9 @@
 		$menu_item_order = $_POST["menu_item_order"];
 	}
 
+//sanitize the menu link
+	$menu_item_link = preg_replace('#[^a-zA-Z0-9_\-\.\&\=\?\/]#', '', $menu_item_link);
+
 //when a HTTP POST is available then process it
 	if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 
@@ -561,4 +564,4 @@
 //include the footer
   require_once "resources/footer.php";
 
-?>
\ No newline at end of file
+?>