Security update for /core/default_settings

core/default_settings/default_settings.php

@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008 - 2020
+	Portions created by the Initial Developer are Copyright (C) 2008 - 2021
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -51,6 +51,11 @@
 		$default_settings = $_POST['default_settings'];
 	}
 
+//sanitize the variables
+	$action = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $action);
+	$search = preg_replace('#[^a-zA-Z0-9_\-\. ]#', '', $search);
+	$default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $default_setting_category);
+
 //process the http post data by action
 	if ($action != '' && is_array($default_settings) && @sizeof($default_settings) != 0) {
 		switch ($action) {
@@ -279,8 +284,11 @@
 		$x = 0;
 		foreach ($default_settings as $row) {
 			$default_setting_category = strtolower($row['default_setting_category']);
-
+			$default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $default_setting_category);
+	
 			$label_default_setting_category = $row['default_setting_category'];
+			$label_default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\. ]#', '', $label_default_setting_category);
+
 			switch (strtolower($label_default_setting_category)) {
 				case "api" : $label_default_setting_category = "API"; break;
 				case "cdr" : $label_default_setting_category = "CDR"; break;
@@ -451,4 +459,4 @@
 //include the footer
 	require_once "resources/footer.php";
 
-?>
+?>