From bed2d0e75ade4d80532b53a328541f1f731c2666 Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Sat, 23 Sep 2017 17:41:44 -0600 Subject: [PATCH] Update calls.php XSS prevention. --- app/calls/calls.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/app/calls/calls.php b/app/calls/calls.php index fd82af4500..6bc671bc31 100644 --- a/app/calls/calls.php +++ b/app/calls/calls.php @@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2016 + Portions created by the Initial Developer are Copyright (C) 2008-2017 the Initial Developer. All Rights Reserved. Contributor(s): @@ -38,9 +38,8 @@ exit; } -//get the https values and set as variables - $order_by = check_str($_GET["order_by"]); - $order = check_str($_GET["order"]); +//get the domain_uuid from the session + $domain_uuid = $_SESSION['domain_uuid']; //handle search term $search = check_str($_GET["search"]); @@ -163,9 +162,9 @@ $tr_url = PROJECT_PATH."/app/calls/call_edit.php?id=".$row['extension_uuid']."&return_url=".urlencode($_SERVER['REQUEST_URI']); $tr_link = (permission_exists('call_forward') || permission_exists('follow_me') || permission_exists('do_not_disturb')) ? "href='".$tr_url."'" : null; echo "\n"; - echo " ".$row['extension']."\n"; + echo " ".escape($row['extension'])."\n"; if (permission_exists('call_forward')) { - echo "".(($row['forward_all_enabled'] == 'true') ? format_phone($row['forward_all_destination']) : ' ').""; + echo "".(($row['forward_all_enabled'] == 'true') ? escape(format_phone($row['forward_all_destination'])) : ' ').""; } if (permission_exists('follow_me')) { if ($row['follow_me_uuid'] != '') { @@ -195,7 +194,7 @@ echo "".(($row['do_not_disturb'] == 'true') ? $text['label-enabled'] : ' ').""; } if (!$is_included) { - echo "".$row['description']." \n"; + echo "".escape($row['description'])." \n"; } echo " ".$v_link_label_edit."\n"; echo "\n";