From 120a25e6db6eeef7d6a0f604426fe502b4a2ba48 Mon Sep 17 00:00:00 2001
From: fusionate <nate@fusionpbx.com>
Date: Fri, 31 Mar 2023 21:03:21 +0000
Subject: [PATCH] [security] Implement Sanitize in XML Handler Scripts

---
 .../scripts/configuration/acl.conf.lua        |  33 +++--
 .../scripts/configuration/callcenter.conf.lua | 123 ++++++++--------
 .../scripts/configuration/conference.conf.lua |  41 +++---
 .../scripts/configuration/ivr.conf.lua        |  79 ++++++-----
 .../configuration/local_stream.conf.lua       |  40 +++---
 .../scripts/configuration/sofia.conf.lua      | 133 +++++++++---------
 .../scripts/configuration/translate.conf.lua  |  31 ++--
 .../resources/scripts/dialplan/dialplan.lua   |  39 ++---
 .../scripts/directory/action/acl.lua          |  42 +++---
 .../scripts/directory/action/directory.lua    |  56 ++++----
 .../scripts/directory/action/domains.lua      |  19 +--
 .../scripts/directory/action/group_call.lua   |  32 ++---
 .../directory/action/reverse-auth-lookup.lua  |  31 ++--
 .../resources/scripts/directory/directory.lua |   1 +
 .../resources/scripts/languages/languages.lua |  49 ++++---
 15 files changed, 390 insertions(+), 359 deletions(-)

diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/acl.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/acl.conf.lua
index b0663a0667..34750fcc10 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/acl.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/acl.conf.lua
@@ -32,6 +32,9 @@
 		loopback.auto - ACL for your local lan.
 	]]
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --get the cache
 	local cache = require "resources.functions.cache"
 	local acl_cache_key = "configuration:acl.conf"
@@ -64,12 +67,12 @@
 			assert(dbh:connected());
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="configuration">]]);
-			table.insert(xml, [[		<configuration name="acl.conf" description="Network Lists">]]);
-			table.insert(xml, [[			<network-lists>]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="configuration">]]);
+			xml:append([[		<configuration name="acl.conf" description="Network Lists">]]);
+			xml:append([[			<network-lists>]]);
 
 		--run the query
 			sql = "select * from v_access_controls ";
@@ -81,7 +84,7 @@
 			dbh:query(sql, function(row)
 
 				--list open tag
-					table.insert(xml, [[				<list name="]]..row.access_control_name..[[" default="]]..row.access_control_default..[[">]]);
+					xml:append([[				<list name="]] .. xml.sanitize(row.access_control_name) .. [[" default="]] .. xml.sanitize(row.access_control_default) .. [[">]]);
 
 				--get the nodes
 					sql = "select * from v_access_control_nodes ";
@@ -93,23 +96,23 @@
 					x = 0;
 					dbh:query(sql, params, function(field)
 						if (string.len(field.node_domain) > 0) then
-							table.insert(xml, [[					<node type="]] .. field.node_type .. [[" domain="]] .. field.node_domain .. [[" description="]] .. field.node_description .. [["/>]]);
+							xml:append([[					<node type="]] .. xml.sanitize(field.node_type) .. [[" domain="]] .. xml.sanitize(field.node_domain) .. [[" description="]] .. xml.sanitize(field.node_description) .. [["/>]]);
 						else
-							table.insert(xml, [[					<node type="]] .. field.node_type .. [[" cidr="]] .. field.node_cidr .. [[" description="]] .. field.node_description .. [["/>]]);
+							xml:append([[					<node type="]] .. xml.sanitize(field.node_type) .. [[" cidr="]] .. xml.sanitize(field.node_cidr) .. [[" description="]] .. xml.sanitize(field.node_description) .. [["/>]]);
 						end
 					end)
 
 				--list close tag
-					table.insert(xml, [[				</list>]]);
+					xml:append([[				</list>]]);
 
 			end)
 
 		--close the extension tag if it was left open
-			table.insert(xml, [[			</network-lists>]]);
-			table.insert(xml, [[		</configuration>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[			</network-lists>]]);
+			xml:append([[		</configuration>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 			if (debug["xml_string"]) then
 				freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 			end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/callcenter.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/callcenter.conf.lua
index 70b7398ca0..158ecc2c32 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/callcenter.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/callcenter.conf.lua
@@ -27,6 +27,9 @@
 --include functions
 	require "resources.functions.format_ringback"
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --get the cache
 	local cache = require "resources.functions.cache"
 	hostname = trim(api:execute("switchname", ""));
@@ -52,23 +55,23 @@
 			dsn_callcenter = freeswitch.getGlobalVariable("dsn_callcenter") or ''
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[    <section name="configuration">]]);
-			table.insert(xml, [[            <configuration name="callcenter.conf" description="Call Center">]]);
-			table.insert(xml, [[                    <settings>]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[    <section name="configuration">]]);
+			xml:append([[            <configuration name="callcenter.conf" description="Call Center">]]);
+			xml:append([[                    <settings>]]);
 			if #dsn_callcenter > 0 then
-				table.insert(xml, [[                            <param name="odbc-dsn" value="]]..dsn_callcenter..[["/>]]);
+				xml:append([[                            <param name="odbc-dsn" value="]] .. xml.sanitize(dsn_callcenter) .. [["/>]]);
 			elseif #dsn > 0 then
-				table.insert(xml, [[                            <param name="odbc-dsn" value="]]..database["switch"]..[["/>]]);
+				xml:append([[                            <param name="odbc-dsn" value="]] .. xml.sanitize(database["switch"]) .. [["/>]]);
 			end
-			table.insert(xml, [[                          <param name="cc-instance-id" value="]]..hostname..[["/>]]);
-			-- table.insert(xml, [[                          <param name="dbname" value="]]..database_dir..[[/call_center.db"/>]]);
-			table.insert(xml, [[                    </settings>]]);
+			xml:append([[                          <param name="cc-instance-id" value="]] .. xml.sanitize(hostname) .. [["/>]]);
+			-- xml:append([[                          <param name="dbname" value="]] .. xml.sanitize(database_dir) .. [[/call_center.db"/>]]);
+			xml:append([[                    </settings>]]);
 
 		--write the queues
-			table.insert(xml, [[                    <queues>]]);
+			xml:append([[                    <queues>]]);
 			sql = "select * from v_call_center_queues as q, v_domains as d ";
 			sql = sql .. "where d.domain_uuid = q.domain_uuid; ";
 			if (debug["sql"]) then
@@ -103,59 +106,59 @@
 					queue_name = queue_name:gsub(" ", "-");
 
 				--start the xml
-					table.insert(xml, [[                            <queue name="]]..queue_extension..[[@]]..domain_name..[[" label="]]..queue_name..[[@]]..domain_name..[[">]]);
-					table.insert(xml, [[                                    <param name="strategy" value="]]..queue_strategy..[["/>]]);
+					xml:append([[                            <queue name="]] .. xml.sanitize(queue_extension) .. [[@]] .. xml.sanitize(domain_name) .. [[" label="]] .. xml.sanitize(queue_name) .. [[@]] .. xml.sanitize(domain_name) .. [[">]]);
+					xml:append([[                                    <param name="strategy" value="]] .. xml.sanitize(queue_strategy) .. [["/>]]);
 				--set ringback
 					queue_ringback = format_ringback(queue_moh_sound);
-					table.insert(xml, [[                                    <param name="moh-sound" value="]]..queue_ringback..[["/>]]);
+					xml:append([[                                    <param name="moh-sound" value="]] .. xml.sanitize(queue_ringback) .. [["/>]]);
 					if (queue_record_template ~= nil) then
-						table.insert(xml, [[                                    <param name="record-template" value="]]..queue_record_template..[["/>]]);
+						xml:append([[                                    <param name="record-template" value="]] .. xml.sanitize(queue_record_template) .. [["/>]]);
 					end
 					if (queue_time_base_score ~= nil) then
-						table.insert(xml, [[                                    <param name="time-base-score" value="]]..queue_time_base_score..[["/>]]);
+						xml:append([[                                    <param name="time-base-score" value="]] .. xml.sanitize(queue_time_base_score) .. [["/>]]);
 					end
 					if (queue_max_wait_time_with_no_agent ~= nil) then
-						table.insert(xml, [[                                    <param name="max-wait-time" value="]]..queue_max_wait_time..[["/>]]);
+						xml:append([[                                    <param name="max-wait-time" value="]] .. xml.sanitize(queue_max_wait_time) .. [["/>]]);
 					end
 					if (queue_max_wait_time_with_no_agent ~= nil) then
-						table.insert(xml, [[                                    <param name="max-wait-time-with-no-agent" value="]]..queue_max_wait_time_with_no_agent..[["/>]]);
+						xml:append([[                                    <param name="max-wait-time-with-no-agent" value="]] .. xml.sanitize(queue_max_wait_time_with_no_agent) .. [["/>]]);
 					end
 					if (queue_max_wait_time_with_no_agent_time_reached ~= nil) then
-						table.insert(xml, [[                                    <param name="max-wait-time-with-no-agent-time-reached" value="]]..queue_max_wait_time_with_no_agent_time_reached..[["/>]]);
+						xml:append([[                                    <param name="max-wait-time-with-no-agent-time-reached" value="]] .. xml.sanitize(queue_max_wait_time_with_no_agent_time_reached) .. [["/>]]);
 					end
 					if (queue_tier_rules_apply ~= nil) then
-						table.insert(xml, [[                                    <param name="tier-rules-apply" value="]]..queue_tier_rules_apply..[["/>]]);
+						xml:append([[                                    <param name="tier-rules-apply" value="]] .. xml.sanitize(queue_tier_rules_apply) .. [["/>]]);
 					end
 					if (queue_tier_rule_wait_second ~= nil) then
-						table.insert(xml, [[                                    <param name="tier-rule-wait-second" value="]]..queue_tier_rule_wait_second..[["/>]]);
+						xml:append([[                                    <param name="tier-rule-wait-second" value="]] .. xml.sanitize(queue_tier_rule_wait_second) .. [["/>]]);
 					end
 					if (queue_tier_rule_wait_multiply_level ~= nil) then
-						table.insert(xml, [[                                    <param name="tier-rule-wait-multiply-level" value="]]..queue_tier_rule_wait_multiply_level..[["/>]]);
+						xml:append([[                                    <param name="tier-rule-wait-multiply-level" value="]] .. xml.sanitize(queue_tier_rule_wait_multiply_level) .. [["/>]]);
 					end
 					if (queue_tier_rule_no_agent_no_wait ~= nil) then
-						table.insert(xml, [[                                    <param name="tier-rule-no-agent-no-wait" value="]]..queue_tier_rule_no_agent_no_wait..[["/>]]);
+						xml:append([[                                    <param name="tier-rule-no-agent-no-wait" value="]] .. xml.sanitize(queue_tier_rule_no_agent_no_wait) .. [["/>]]);
 					end
 					if (queue_discard_abandoned_after ~= nil) then
-						table.insert(xml, [[                                    <param name="discard-abandoned-after" value="]]..queue_discard_abandoned_after..[["/>]]);
+						xml:append([[                                    <param name="discard-abandoned-after" value="]] .. xml.sanitize(queue_discard_abandoned_after) .. [["/>]]);
 					end
 					if (queue_abandoned_resume_allowed ~= nil) then
-						table.insert(xml, [[                                    <param name="abandoned-resume-allowed" value="]]..queue_abandoned_resume_allowed..[["/>]]);
+						xml:append([[                                    <param name="abandoned-resume-allowed" value="]] .. xml.sanitize(queue_abandoned_resume_allowed) .. [["/>]]);
 					end
 					if (queue_announce_sound ~= nil) then
-						table.insert(xml, [[                                    <param name="announce-sound" value="]]..queue_announce_sound..[["/>]]);
+						xml:append([[                                    <param name="announce-sound" value="]] .. xml.sanitize(queue_announce_sound) .. [["/>]]);
 					end
 					if (queue_announce_frequency ~= nil) then
-						table.insert(xml, [[                                    <param name="announce-frequency" value="]]..queue_announce_frequency..[["/>]]);
+						xml:append([[                                    <param name="announce-frequency" value="]] .. xml.sanitize(queue_announce_frequency) .. [["/>]]);
 					end
-					table.insert(xml, [[                            </queue>]]);
+					xml:append([[                            </queue>]]);
 
 				--increment the value of x
 					x = x + 1;
 			end)
-			table.insert(xml, [[                    </queues>]]);
+			xml:append([[                    </queues>]]);
 
 		--get the agents
-			table.insert(xml, [[                    <agents>]]);
+			xml:append([[                    <agents>]]);
 			sql = "select SPLIT_PART(SPLIT_PART(a.agent_contact, '/', 2), '@', 1) as extension,  ";
 			sql = sql .. "(select extension_uuid from v_extensions where domain_uuid = a.domain_uuid ";
 			sql = sql .. "and extension = SPLIT_PART(SPLIT_PART(a.agent_contact, '/', 2), '@', 1) limit 1) as extension_uuid, ";
@@ -236,30 +239,30 @@
 						end
 
 				--build the xml string
-					table.insert(xml, [[                            <agent ]]);
-					table.insert(xml, [[                            	name="]]..agent_uuid..[[" ]]);
-					table.insert(xml, [[                            	label="]]..agent_name..[[@]]..domain_name..[[" ]]);
-					table.insert(xml, [[                            	type="]]..agent_type..[[" ]]);
-					table.insert(xml, [[                            	contact="]]..agent_contact..[[" ]]);
-					table.insert(xml, [[                            	status="]]..agent_status..[[" ]]);
+					xml:append([[                            <agent ]]);
+					xml:append([[                            	name="]] .. xml.sanitize(agent_uuid) .. [[" ]]);
+					xml:append([[                            	label="]] .. xml.sanitize(agent_name) .. [[@]] .. xml.sanitize(domain_name) .. [[" ]]);
+					xml:append([[                            	type="]] .. xml.sanitize(agent_type) .. [[" ]]);
+					xml:append([[                            	contact="]] .. xml.sanitize(agent_contact) .. [[" ]]);
+					xml:append([[                            	status="]] .. xml.sanitize(agent_status) .. [[" ]]);
 					if (agent_no_answer_delay_time ~= nil) then
-						table.insert(xml, [[                            	no-answer-delay-time="]]..agent_no_answer_delay_time..[[" ]]);
+						xml:append([[                            	no-answer-delay-time="]] .. xml.sanitize(agent_no_answer_delay_time) .. [[" ]]);
 					end
 					if (agent_max_no_answer ~= nil) then
-						table.insert(xml, [[                            	max-no-answer="]]..agent_max_no_answer..[[" ]]);
+						xml:append([[                            	max-no-answer="]] .. xml.sanitize(agent_max_no_answer) .. [[" ]]);
 					end
 					if (agent_wrap_up_time ~= nil) then
-						table.insert(xml, [[                            	wrap-up-time="]]..agent_wrap_up_time..[[" ]]);
+						xml:append([[                            	wrap-up-time="]] .. xml.sanitize(agent_wrap_up_time) .. [[" ]]);
 					end
 					if (agent_reject_delay_time ~= nil) then
-						table.insert(xml, [[                            	reject-delay-time="]]..agent_reject_delay_time..[[" ]]);
+						xml:append([[                            	reject-delay-time="]] .. xml.sanitize(agent_reject_delay_time) .. [[" ]]);
 					end
 					if (agent_busy_delay_time ~= nil) then
-						table.insert(xml, [[                            	busy-delay-time="]]..agent_busy_delay_time..[[" ]]);
+						xml:append([[                            	busy-delay-time="]] .. xml.sanitize(agent_busy_delay_time) .. [[" ]]);
 					end
-					table.insert(xml, [[                            	/>]]);
+					xml:append([[                            	/>]]);
 			end)
-			table.insert(xml, [[                    </agents>]]);
+			xml:append([[                    </agents>]]);
 
 		--get the tiers
 			sql = "select t.domain_uuid, d.domain_name, t.call_center_agent_uuid, t.call_center_queue_uuid, q.queue_extension, t.tier_level, t.tier_position ";
@@ -269,7 +272,7 @@
 			if (debug["sql"]) then
 				freeswitch.consoleLog("notice", "[xml_handler] SQL: " .. sql .. "\n");
 			end
-			table.insert(xml, [[                    <tiers>]]);
+			xml:append([[                    <tiers>]]);
 			dbh:query(sql, function(row)
 				--get the values from the database and set as variables
 					domain_uuid = row.domain_uuid;
@@ -280,25 +283,25 @@
 					tier_level = row.tier_level;
 					tier_position = row.tier_position;
 				--build the xml
-					table.insert(xml, [[                            <tier ]]);
-					table.insert(xml, [[                            	agent="]]..agent_uuid..[[" ]]);
-					table.insert(xml, [[                            	queue="]]..queue_extension..[[@]]..domain_name..[[" ]]);
-					table.insert(xml, [[                            	domain_name="]]..domain_name..[[" ]]);
-					--table.insert(xml, [[                            	agent_name="]]..agent_name..[[" ]]);
-					--table.insert(xml, [[                            	queue_name="]]..queue_name..[[" ]]);
-					table.insert(xml, [[                            	level="]]..tier_level..[[" ]]);
-					table.insert(xml, [[                            	position="]]..tier_position..[[" ]]);
-					table.insert(xml, [[                            />]]);
+					xml:append([[                            <tier ]]);
+					xml:append([[                            	agent="]] .. xml.sanitize(agent_uuid) .. [[" ]]);
+					xml:append([[                            	queue="]] .. xml.sanitize(queue_extension) .. [[@]] .. xml.sanitize(domain_name) .. [[" ]]);
+					xml:append([[                            	domain_name="]] .. xml.sanitize(domain_name) .. [[" ]]);
+					--xml:append([[                            	agent_name="]] .. xml.sanitize(agent_name) .. [[" ]]);
+					--xml:append([[                            	queue_name="]] .. xml.sanitize(queue_name) .. [[" ]]);
+					xml:append([[                            	level="]] .. xml.sanitize(tier_level) .. [[" ]]);
+					xml:append([[                            	position="]] .. xml.sanitize(tier_position) .. [[" ]]);
+					xml:append([[                            />]]);
 			end)
-			table.insert(xml, [[                    </tiers>]]);
+			xml:append([[                    </tiers>]]);
 
 		--close the extension tag if it was left open
-			table.insert(xml, [[            </configuration>]]);
-			table.insert(xml, [[    </section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[            </configuration>]]);
+			xml:append([[    </section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 			if (debug["xml_string"]) then
-					freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
+				freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 			end
 
 		--close the database connection
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/conference.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/conference.conf.lua
index e8b72f6333..483c8fb72a 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/conference.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/conference.conf.lua
@@ -37,15 +37,18 @@
 --exits the script if we didn't connect properly
 	assert(dbh:connected());
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --set the xml array
-	local xml = {}
-	table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-	table.insert(xml, [[<document type="freeswitch/xml">]]);
-	table.insert(xml, [[	<section name="configuration">]]);
-	table.insert(xml, [[		<configuration name="conference.conf" description="Audio Conference">]]);
+	local xml = Xml:new();
+	xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+	xml:append([[<document type="freeswitch/xml">]]);
+	xml:append([[	<section name="configuration">]]);
+	xml:append([[		<configuration name="conference.conf" description="Audio Conference">]]);
 
 --start the conference controls
-	table.insert(xml, [[			<caller-controls>]]);
+	xml:append([[			<caller-controls>]]);
 	sql = [[SELECT * FROM v_conference_controls
 		WHERE control_enabled = 'true' ]];
 	if (debug["sql"]) then
@@ -53,7 +56,7 @@
 	end
 	dbh:query(sql, function(field)
 		conference_control_uuid = field["conference_control_uuid"];
-		table.insert(xml, [[				<group name="]]..field["control_name"]..[[">]]);
+		xml:append([[				<group name="]] .. xml.sanitize(field["control_name"]) .. [[">]]);
 
 		--get the conference control details from the database
 		sql = [[SELECT * FROM v_conference_control_details
@@ -67,15 +70,15 @@
 		dbh:query(sql, params, function(row)
 			--conference_control_uuid = row["conference_control_uuid"];
 			--conference_control_detail_uuid = row["conference_control_detail_uuid"];
-			table.insert(xml, [[					<control digits="]]..row["control_digits"]..[[" action="]]..row["control_action"]..[[" data="]]..row["control_data"]..[["/>]]);
+			xml:append([[					<control digits="]] .. xml.sanitize(row["control_digits"]) .. [[" action="]] .. xml.sanitize(row["control_action"]) .. [[" data="]] .. xml.sanitize(row["control_data"]) .. [["/>]]);
 		end);
-		table.insert(xml, [[				</group>]]);
+		xml:append([[				</group>]]);
 	end);
-	table.insert(xml, [[			</caller-controls>]]);
+	xml:append([[			</caller-controls>]]);
 
 
 --start the conference profiles
-	table.insert(xml, [[			<profiles>]]);
+	xml:append([[			<profiles>]]);
 	sql = [[SELECT * FROM v_conference_profiles
 		WHERE profile_enabled = 'true' ]];
 	if (debug["sql"]) then
@@ -83,7 +86,7 @@
 	end
 	dbh:query(sql, function(field)
 		conference_profile_uuid = field["conference_profile_uuid"];
-		table.insert(xml, [[				<profile name="]]..field["profile_name"]..[[">]]);
+		xml:append([[				<profile name="]] .. xml.sanitize(field["profile_name"]) .. [[">]]);
 
 		--get the conference profile parameters from the database
 		sql = [[SELECT * FROM v_conference_profile_params
@@ -98,17 +101,17 @@
 			--conference_profile_uuid = row["conference_profile_uuid"];
 			--conference_profile_param_uuid = row["conference_profile_param_uuid"];
 			--profile_param_description = row["profile_param_description"];
-			table.insert(xml, [[					<param name="]]..row["profile_param_name"]..[[" value="]]..row["profile_param_value"]..[["/>]]);
+			xml:append([[					<param name="]] .. xml.sanitize(row["profile_param_name"]) .. [[" value="]] .. xml.sanitize(row["profile_param_value"]) .. [["/>]]);
 		end);
-		table.insert(xml, [[				</profile>]]);
+		xml:append([[				</profile>]]);
 	end);
-	table.insert(xml, [[			</profiles>]]);
+	xml:append([[			</profiles>]]);
 
 --set the xml array and then concatenate the array to a string
-	table.insert(xml, [[		</configuration>]]);
-	table.insert(xml, [[	</section>]]);
-	table.insert(xml, [[</document>]]);
-	XML_STRING = table.concat(xml, "\n");
+	xml:append([[		</configuration>]]);
+	xml:append([[	</section>]]);
+	xml:append([[</document>]]);
+	XML_STRING = xml:build();
 	if (debug["xml_string"]) then
 		freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 	end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/ivr.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/ivr.conf.lua
index 6203d45064..47ade48e55 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/ivr.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/ivr.conf.lua
@@ -30,6 +30,9 @@
 
 	local log = require "resources.functions.log".ivr_menu
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --get the cache
 	local cache = require "resources.functions.cache"
 	local ivr_menu_cache_key = "configuration:ivr.conf:" .. ivr_menu_uuid
@@ -51,12 +54,12 @@
 			end
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="configuration">]]);
-			table.insert(xml, [[		<configuration name="ivr.conf" description="IVR Menus">]]);
-			table.insert(xml, [[			<menus>]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="configuration">]]);
+			xml:append([[		<configuration name="ivr.conf" description="IVR Menus">]]);
+			xml:append([[			<menus>]]);
 
 		--set the sound prefix
 			sound_prefix = sounds_dir.."/${default_language}/${default_dialect}/${default_voice}/";
@@ -245,25 +248,25 @@
 					end
 
 				--add xml to the array
-					table.insert(xml, [[				<menu name="]]..ivr_menu_uuid..[[" description="]]..ivr_menu_name..[[" ]]);
-					table.insert(xml, [[				greet-long="]]..ivr_menu_greet_long..[[" ]]);
-					table.insert(xml, [[				greet-short="]]..ivr_menu_greet_short..[[" ]]);
-					table.insert(xml, [[				invalid-sound="]]..ivr_menu_invalid_sound..[[" ]]);
-					table.insert(xml, [[				exit-sound="]]..ivr_menu_exit_sound..[[" ]]);
-					table.insert(xml, [[				pin="]]..ivr_menu_pin_number..[[" ]]);
-					table.insert(xml, [[				confirm-macro="]]..ivr_menu_confirm_macro..[[" ]]);
-					table.insert(xml, [[				confirm-key="]]..ivr_menu_confirm_key..[[" ]]);
-					table.insert(xml, [[				tts-engine="]]..ivr_menu_tts_engine..[[" ]]);
-					table.insert(xml, [[				tts-voice="]]..ivr_menu_tts_voice..[[" ]]);
-					table.insert(xml, [[				confirm-attempts="]]..ivr_menu_confirm_attempts..[[" ]]);
-					table.insert(xml, [[				timeout="]]..ivr_menu_timeout..[[" ]]);
-					table.insert(xml, [[				inter-digit-timeout="]]..ivr_menu_inter_digit_timeout..[[" ]]);
-					table.insert(xml, [[				max-failures="]]..ivr_menu_max_failures..[[" ]]);
-					table.insert(xml, [[				max-timeouts="]]..ivr_menu_max_timeouts..[[" ]]);
-					table.insert(xml, [[				digit-len="]]..ivr_menu_digit_len..[[" ]]);
-					table.insert(xml, [[				ivr_menu_exit_app="]]..ivr_menu_exit_app..[[" ]]);
-					table.insert(xml, [[				ivr_menu_exit_data="]]..ivr_menu_exit_data..[[" ]]);
-					table.insert(xml, [[				>]]);
+					xml:append([[				<menu name="]] .. xml.sanitize(ivr_menu_uuid) .. [[" description="]] .. xml.sanitize(ivr_menu_name) .. [[" ]]);
+					xml:append([[				greet-long="]] .. xml.sanitize(ivr_menu_greet_long) .. [[" ]]);
+					xml:append([[				greet-short="]] .. xml.sanitize(ivr_menu_greet_short) .. [[" ]]);
+					xml:append([[				invalid-sound="]] .. xml.sanitize(ivr_menu_invalid_sound) .. [[" ]]);
+					xml:append([[				exit-sound="]] .. xml.sanitize(ivr_menu_exit_sound) .. [[" ]]);
+					xml:append([[				pin="]] .. xml.sanitize(ivr_menu_pin_number) .. [[" ]]);
+					xml:append([[				confirm-macro="]] .. xml.sanitize(ivr_menu_confirm_macro) .. [[" ]]);
+					xml:append([[				confirm-key="]] .. xml.sanitize(ivr_menu_confirm_key) .. [[" ]]);
+					xml:append([[				tts-engine="]] .. xml.sanitize(ivr_menu_tts_engine) .. [[" ]]);
+					xml:append([[				tts-voice="]] .. xml.sanitize(ivr_menu_tts_voice) .. [[" ]]);
+					xml:append([[				confirm-attempts="]] .. xml.sanitize(ivr_menu_confirm_attempts) .. [[" ]]);
+					xml:append([[				timeout="]] .. xml.sanitize(ivr_menu_timeout) .. [[" ]]);
+					xml:append([[				inter-digit-timeout="]] .. xml.sanitize(ivr_menu_inter_digit_timeout) .. [[" ]]);
+					xml:append([[				max-failures="]] .. xml.sanitize(ivr_menu_max_failures) .. [[" ]]);
+					xml:append([[				max-timeouts="]] .. xml.sanitize(ivr_menu_max_timeouts) .. [[" ]]);
+					xml:append([[				digit-len="]] .. xml.sanitize(ivr_menu_digit_len) .. [[" ]]);
+					xml:append([[				ivr_menu_exit_app="]] .. xml.sanitize(ivr_menu_exit_app) .. [[" ]]);
+					xml:append([[				ivr_menu_exit_data="]] .. xml.sanitize(ivr_menu_exit_data) .. [[" ]]);
+					xml:append([[				>]]);
 
 				--get the ivr menu options
 					local sql = [[ SELECT * FROM v_ivr_menu_options WHERE ivr_menu_uuid = :ivr_menu_uuid AND ivr_menu_option_enabled = 'true' ORDER BY ivr_menu_option_order asc ]];
@@ -278,7 +281,7 @@
 						ivr_menu_option_param = r.ivr_menu_option_param
 						ivr_menu_option_description = r.ivr_menu_option_description
 						if (#ivr_menu_option_action > 0) then
-							table.insert(xml, [[					<entry action="]]..ivr_menu_option_action..[[" digits="]]..ivr_menu_option_digits..[[" param="]]..ivr_menu_option_param..[[" description="]]..ivr_menu_option_description..[["/>]]);
+							xml:append([[					<entry action="]] .. xml.sanitize(ivr_menu_option_action) .. [[" digits="]] .. xml.sanitize(ivr_menu_option_digits) .. [[" param="]] .. xml.sanitize(ivr_menu_option_param) .. [[" description="]] .. xml.sanitize(ivr_menu_option_description) .. [["/>]]);
 							if (tonumber(ivr_menu_option_digits) and #ivr_menu_option_digits >= tonumber(direct_dial_digits_min)) then
 								table.insert(direct_dial_exclude, ivr_menu_option_digits);
 							end
@@ -292,26 +295,26 @@
 							negative_lookahead = "(?!^("..table.concat(direct_dial_exclude, "|")..")$)";
 						end
 						local direct_dial_regex = string.format("/^(%s\\d{%s,%s})$/", negative_lookahead, direct_dial_digits_min, direct_dial_digits_max);
-						table.insert(xml, [[					<entry action="menu-exec-app" digits="]]..direct_dial_regex..[[" param="set ${cond(${user_exists id $1 ]]..domain_name..[[} == true ? user_exists=true : user_exists=false)}" description="direct dial"/>\n]]);
-						--table.insert(xml, [[					<entry action="menu-exec-app" digits="]]..direct_dial_regex..[[" param="set ${cond(${user_exists} == true ? user_exists=true : ivr_max_failures=${system(expr ${ivr_max_failures} + 1)})}" description="increment max failures"/>\n]]);
-						table.insert(xml, [[					<entry action="menu-exec-app" digits="]]..direct_dial_regex..[[" param="playback ${cond(${user_exists} == true ? ]]..sound_prefix..[[ivr/ivr-call_being_transferred.wav : ]]..sound_prefix..[[ivr/ivr-that_was_an_invalid_entry.wav)}" description="play sound"/>\n]]);
-						--table.insert(xml, [[					<entry action="menu-exec-app" digits="]]..direct_dial_regex..[[" param="transfer ${cond(${ivr_max_failures} == ]]..ivr_menu_max_failures..[[ ? ]]..ivr_menu_exit_data..[[)}" description="max fail transfer"/>\n]]);
-						table.insert(xml, [[					<entry action="menu-exec-app" digits="]]..direct_dial_regex..[[" param="transfer ${cond(${user_exists} == true ? $1 XML ]]..domain_name..[[)}" description="direct dial transfer"/>\n]]);
+						xml:append([[					<entry action="menu-exec-app" digits="]] .. xml.sanitize(direct_dial_regex) .. [[" param="set ${cond(${user_exists id $1 ]] .. xml.sanitize(domain_name) .. [[} == true ? user_exists=true : user_exists=false)}" description="direct dial"/>\n]]);
+						--xml:append([[					<entry action="menu-exec-app" digits="]] .. xml.sanitize(direct_dial_regex) .. [[" param="set ${cond(${user_exists} == true ? user_exists=true : ivr_max_failures=${system(expr ${ivr_max_failures} + 1)})}" description="increment max failures"/>\n]]);
+						xml:append([[					<entry action="menu-exec-app" digits="]] .. xml.sanitize(direct_dial_regex) .. [[" param="playback ${cond(${user_exists} == true ? ]] .. xml.sanitize(sound_prefix) .. [[ivr/ivr-call_being_transferred.wav : ]] .. xml.sanitize(sound_prefix) .. [[ivr/ivr-that_was_an_invalid_entry.wav)}" description="play sound"/>\n]]);
+						--xml:append([[					<entry action="menu-exec-app" digits="]] .. xml.sanitize(direct_dial_regex) .. [[" param="transfer ${cond(${ivr_max_failures} == ]] .. xml.sanitize(ivr_menu_max_failures) .. [[ ? ]] .. xml.sanitize(ivr_menu_exit_data) .. [[)}" description="max fail transfer"/>\n]]);
+						xml:append([[					<entry action="menu-exec-app" digits="]] .. xml.sanitize(direct_dial_regex) .. [[" param="transfer ${cond(${user_exists} == true ? $1 XML ]] .. xml.sanitize(domain_name) .. [[)}" description="direct dial transfer"/>\n]]);
 					end
 
 				--close the extension tag if it was left open
-					table.insert(xml, [[				</menu>]]);
+					xml:append([[				</menu>]]);
 
 			end);
 
 		--add the xml closing tags
-			table.insert(xml, [[			</menus>]]);
-			table.insert(xml, [[		</configuration>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
+			xml:append([[			</menus>]]);
+			xml:append([[		</configuration>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
 
-		--save the xml table into a string
-			XML_STRING = table.concat(xml, "\n");
+		--save the xml into a string
+			XML_STRING = xml:build();
 
 		--optinonal debug message
 			if (debug["xml_string"]) then
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/local_stream.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/local_stream.conf.lua
index c65257ba50..5505eacf11 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/local_stream.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/local_stream.conf.lua
@@ -1,3 +1,5 @@
+--include xml library
+	local Xml = require "resources.functions.xml";
 
 --get the cache
 	local cache = require "resources.functions.cache"
@@ -31,11 +33,11 @@
 			assert(dbh:connected());
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="configuration">]]);
-			table.insert(xml, [[		<configuration name="local_stream.conf" description="stream files from local dir">]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="configuration">]]);
+			xml:append([[		<configuration name="local_stream.conf" description="stream files from local dir">]]);
 
 		--run the query
 			sql = "select d.domain_name, s.* "
@@ -90,30 +92,30 @@
 				end
 
 				--build the xml ]]..row.music_on_hold_name..[["
-				table.insert(xml, [[	<directory name="]]..name..[[" uuid="]]..row.music_on_hold_uuid..[[" path="]]..music_on_hold_path..[[">]]);
-				table.insert(xml, [[			<param name="rate" value="]]..rate..[["/>]]);
-				table.insert(xml, [[			<param name="shuffle" value="]]..row.music_on_hold_shuffle..[["/>]]);
-				table.insert(xml, [[			<param name="channels" value="1"/>]]);
-				table.insert(xml, [[			<param name="interval" value="20"/>]]);
-				table.insert(xml, [[			<param name="timer-name" value="]]..timer_name..[["/>]]);
+				xml:append([[	<directory name="]] .. xml.sanitize(name) .. [[" uuid="]] .. xml.sanitize(row.music_on_hold_uuid) .. [[" path="]] .. xml.sanitize(music_on_hold_path) .. [[">]]);
+				xml:append([[			<param name="rate" value="]] .. xml.sanitize(rate) .. [["/>]]);
+				xml:append([[			<param name="shuffle" value="]] .. xml.sanitize(row.music_on_hold_shuffle) .. [["/>]]);
+				xml:append([[			<param name="channels" value="1"/>]]);
+				xml:append([[			<param name="interval" value="20"/>]]);
+				xml:append([[			<param name="timer-name" value="]] .. xml.sanitize(timer_name) ..[["/>]]);
 				if (chime_list ~= nil) then
-					table.insert(xml, [[			<param name="chime-list" value="]]..chime_list..[["/>]]);
+					xml:append([[			<param name="chime-list" value="]] .. xml.sanitize(chime_list) .. [["/>]]);
 				end
 				if (row.music_on_hold_chime_freq ~= nil) then
-					table.insert(xml, [[			<param name="chime-freq" value="]]..row.music_on_hold_chime_freq..[["/>]]);
+					xml:append([[			<param name="chime-freq" value="]] .. xml.sanitize(row.music_on_hold_chime_freq) .. [["/>]]);
 				end
 				if (row.music_on_hold_chime_max ~= nil) then
-					table.insert(xml, [[			<param name="chime-max" value="]]..row.music_on_hold_chime_max..[["/>]]);
+					xml:append([[			<param name="chime-max" value="]] .. xml.sanitize(row.music_on_hold_chime_max) .. [["/>]]);
 				end
-				table.insert(xml, [[		</directory>]]);
+				xml:append([[		</directory>]]);
 
 			end)
 
 		--close the extension tag if it was left open
-			table.insert(xml, [[		</configuration>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[		</configuration>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 			if (debug["xml_string"]) then
 				freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 			end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/sofia.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/sofia.conf.lua
index 44eab72475..91026f2a94 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/sofia.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/sofia.conf.lua
@@ -24,6 +24,9 @@
 --	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 --	POSSIBILITY OF SUCH DAMAGE.
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --get the cache
 	local cache = require "resources.functions.cache"
 	local hostname = trim(api:execute("switchname", ""))
@@ -59,11 +62,11 @@
 			vars = trim(api:execute("global_getvar", ""));
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="configuration">]]);
-			table.insert(xml, [[		<configuration name="sofia.conf" description="sofia Endpoint">]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="configuration">]]);
+			xml:append([[		<configuration name="sofia.conf" description="sofia Endpoint">]]);
 
 		--gt the global settings
 			sql = "select * from v_sofia_global_settings ";
@@ -71,11 +74,11 @@
 			sql = sql .. "order by global_setting_name asc ";
 			local params = {};
 			x = 0;
-			table.insert(xml, [[			<global_settings>]]);
+			xml:append([[			<global_settings>]]);
 			dbh:query(sql, params, function(row)
-					table.insert(xml, [[				<param name="]]..row.global_setting_name..[[" value="]]..row.global_setting_value..[["/>]]);
+					xml:append([[				<param name="]] .. xml.sanitize(row.global_setting_name) .. [[" value="]] .. xml.sanitize(row.global_setting_value) .. [["/>]]);
 			end)
-			table.insert(xml, [[			</global_settings>]]);
+			xml:append([[			</global_settings>]]);
 
 		--set defaults
 			previous_sip_profile_name = "";
@@ -94,7 +97,7 @@
 				freeswitch.consoleLog("notice", "[xml_handler] SQL: " .. sql .. "; params: " .. json.encode(params) .. "\n");
 			end
 			x = 0;
-			table.insert(xml, [[			<profiles>]]);
+			xml:append([[			<profiles>]]);
 			dbh:query(sql, params, function(row)
 				--set as variables
 					sip_profile_uuid = row.sip_profile_uuid;
@@ -106,14 +109,14 @@
 				--open xml tag
 					if (sip_profile_name ~= previous_sip_profile_name) then
 						if (x > 1) then
-							table.insert(xml, [[					</settings>]]);
-							table.insert(xml, [[				</profile>]]);
+							xml:append([[					</settings>]]);
+							xml:append([[				</profile>]]);
 						end
-						table.insert(xml, [[				<profile name="]]..sip_profile_name..[[">]]);
-						table.insert(xml, [[					<aliases>]]);
-						table.insert(xml, [[					</aliases>]]);
-						table.insert(xml, [[					<gateways>]]);
-						--table.insert(xml, [[						<X-PRE-PROCESS cmd="include" data="]]..sip_profile_name..[[/*.xml"/>]]);
+						xml:append([[				<profile name="]] .. xml.sanitize(sip_profile_name) .. [[">]]);
+						xml:append([[					<aliases>]]);
+						xml:append([[					</aliases>]]);
+						xml:append([[					<gateways>]]);
+						--xml:append([[						<X-PRE-PROCESS cmd="include" data="]] .. xml.sanitize(sip_profile_name) .. [[/*.xml"/>]]);
 
 						--get the gateways
 							sql = "select * from v_gateways ";
@@ -126,108 +129,108 @@
 							end
 							x = 0;
 							dbh:query(sql, params, function(field)
-								table.insert(xml, [[						<gateway name="]] .. string.lower(field.gateway_uuid) .. [[">]]);
+								xml:append([[						<gateway name="]] .. xml.sanitize(string.lower(field.gateway_uuid)) .. [[">]]);
 
 								if (string.len(field.username) > 0) then
-									table.insert(xml, [[							<param name="username" value="]] .. field.username .. [["/>]]);
+									xml:append([[							<param name="username" value="]] .. xml.sanitize(field.username) .. [["/>]]);
 								end
 								if (string.len(field.distinct_to) > 0) then
-									table.insert(xml, [[							<param name="distinct-to" value="]] .. field.distinct_to .. [["/>]]);
+									xml:append([[							<param name="distinct-to" value="]] .. xml.sanitize(field.distinct_to) .. [["/>]]);
 								end
 								if (string.len(field.auth_username) > 0) then
-									table.insert(xml, [[							<param name="auth-username" value="]] .. field.auth_username .. [["/>]]);
+									xml:append([[							<param name="auth-username" value="]] .. xml.sanitize(field.auth_username) .. [["/>]]);
 								end
 								if (string.len(field.password) > 0) then
-									table.insert(xml, [[							<param name="password" value="]] .. field.password .. [["/>]]);
+									xml:append([[							<param name="password" value="]] .. xml.sanitize(field.password) .. [["/>]]);
 								end
 								if (string.len(field.realm) > 0) then
-									table.insert(xml, [[							<param name="realm" value="]] .. field.realm .. [["/>]]);
+									xml:append([[							<param name="realm" value="]] .. xml.sanitize(field.realm) .. [["/>]]);
 								end
 								if (string.len(field.from_user) > 0) then
-									table.insert(xml, [[							<param name="from-user" value="]] .. field.from_user .. [["/>]]);
+									xml:append([[							<param name="from-user" value="]] .. xml.sanitize(field.from_user) .. [["/>]]);
 								end
 								if (string.len(field.from_domain) > 0) then
-									table.insert(xml, [[							<param name="from-domain" value="]] .. field.from_domain .. [["/>]]);
+									xml:append([[							<param name="from-domain" value="]] .. xml.sanitize(field.from_domain) .. [["/>]]);
 								end
 								if (string.len(field.proxy) > 0) then
-									table.insert(xml, [[							<param name="proxy" value="]] .. field.proxy .. [["/>]]);
+									xml:append([[							<param name="proxy" value="]] .. xml.sanitize(field.proxy) .. [["/>]]);
 								end
 								if (string.len(field.register_proxy) > 0) then
-									table.insert(xml, [[							<param name="register-proxy" value="]] .. field.register_proxy .. [["/>]]);
+									xml:append([[							<param name="register-proxy" value="]] .. xml.sanitize(field.register_proxy) .. [["/>]]);
 								end
 								if (string.len(field.outbound_proxy) > 0) then
-									table.insert(xml, [[							<param name="outbound-proxy" value="]] .. field.outbound_proxy .. [["/>]]);
+									xml:append([[							<param name="outbound-proxy" value="]] .. xml.sanitize(field.outbound_proxy) .. [["/>]]);
 								end
 								if (string.len(field.expire_seconds) > 0) then
-									table.insert(xml, [[							<param name="expire-seconds" value="]] .. field.expire_seconds .. [["/>]]);
+									xml:append([[							<param name="expire-seconds" value="]] .. xml.sanitize(field.expire_seconds) .. [["/>]]);
 								end
 								if (string.len(field.register) > 0) then
-									table.insert(xml, [[							<param name="register" value="]] .. field.register .. [["/>]]);
+									xml:append([[							<param name="register" value="]] .. xml.sanitize(field.register) .. [["/>]]);
 								end
 
 								if (field.register_transport) then
 									if (field.register_transport == "udp") then
-										table.insert(xml, [[							<param name="register-transport" value="udp"/>]]);
+										xml:append([[							<param name="register-transport" value="udp"/>]]);
 									elseif (field.register_transport ==  "tcp") then
-										table.insert(xml, [[							<param name="register-transport" value="tcp"/>]]);
+										xml:append([[							<param name="register-transport" value="tcp"/>]]);
 									elseif (field.register_transport == "tls") then
-										table.insert(xml, [[							<param name="register-transport" value="tls"/>]]);
+										xml:append([[							<param name="register-transport" value="tls"/>]]);
 										
 									else
-										table.insert(xml, [[							<param name="register-transport" value="udp"/>]]);
+										xml:append([[							<param name="register-transport" value="udp"/>]]);
 									end
 								end
 
 								if (field.contact_params) then
-									table.insert(xml, [[							<param name="contact-params" value="]] .. field.contact_params .. [["/>]]);
+									xml:append([[							<param name="contact-params" value="]] .. xml.sanitize(field.contact_params) .. [["/>]]);
 								end
 
 								if (string.len(field.retry_seconds) > 0) then
-									table.insert(xml, [[							<param name="retry-seconds" value="]] .. field.retry_seconds .. [["/>]]);
+									xml:append([[							<param name="retry-seconds" value="]] .. xml.sanitize(field.retry_seconds) .. [["/>]]);
 								end
 								if (string.len(field.extension) > 0) then
-									table.insert(xml, [[							<param name="extension" value="]] .. field.extension .. [["/>]]);
+									xml:append([[							<param name="extension" value="]] .. xml.sanitize(field.extension) .. [["/>]]);
 								end
 								if (string.len(field.ping) > 0) then
-									table.insert(xml, [[							<param name="ping" value="]] .. field.ping .. [["/>]]);
+									xml:append([[							<param name="ping" value="]] .. xml.sanitize(field.ping) .. [["/>]]);
 								end
 								if (string.len(field.ping_min) > 0) then
-									table.insert(xml, [[							<param name="ping-min" value="]] .. field.ping_min .. [["/>]]);
+									xml:append([[							<param name="ping-min" value="]] .. xml.sanitize(field.ping_min) .. [["/>]]);
 								end
 								if (string.len(field.ping_max) > 0) then
-									table.insert(xml, [[							<param name="ping-max" value="]] .. field.ping_max .. [["/>]]);
+									xml:append([[							<param name="ping-max" value="]] .. xml.sanitize(field.ping_max) .. [["/>]]);
 								end
 								if (string.len(field.contact_in_ping) > 0) then
-									table.insert(xml, [[							<param name="contact-in-ping" value="]] .. field.contact_in_ping .. [["/>]]);
+									xml:append([[							<param name="contact-in-ping" value="]] .. xml.sanitize(field.contact_in_ping) .. [["/>]]);
 								end
 								if (string.len(field.context) > 0) then
-									table.insert(xml, [[							<param name="context" value="]] .. field.context .. [["/>]]);
+									xml:append([[							<param name="context" value="]] .. xml.sanitize(field.context) .. [["/>]]);
 								end
 								if (string.len(field.caller_id_in_from) > 0) then
-									table.insert(xml, [[							<param name="caller-id-in-from" value="]] .. field.caller_id_in_from .. [["/>]]);
+									xml:append([[							<param name="caller-id-in-from" value="]] .. xml.sanitize(field.caller_id_in_from) .. [["/>]]);
 								end
 								if (string.len(field.supress_cng) > 0) then
-									table.insert(xml, [[							<param name="supress-cng" value="]] .. field.supress_cng .. [["/>]]);
+									xml:append([[							<param name="supress-cng" value="]] .. xml.sanitize(field.supress_cng) .. [["/>]]);
 								end
 								if (string.len(field.extension_in_contact) > 0) then
-									table.insert(xml, [[							<param name="extension-in-contact" value="]] .. field.extension_in_contact .. [["/>]]);
+									xml:append([[							<param name="extension-in-contact" value="]] .. xml.sanitize(field.extension_in_contact) .. [["/>]]);
 								end
-								table.insert(xml, [[							<variables>]]);
+								xml:append([[							<variables>]]);
 								if (string.len(field.sip_cid_type) > 0) then
-									table.insert(xml, [[								<variable name="sip_cid_type" value="]] .. field.sip_cid_type .. [["/>]]);
+									xml:append([[								<variable name="sip_cid_type" value="]] .. xml.sanitize(field.sip_cid_type) .. [["/>]]);
 								end
-								table.insert(xml, [[							</variables>]]);
-								table.insert(xml, [[						</gateway>]]);
+								xml:append([[							</variables>]]);
+								xml:append([[						</gateway>]]);
 							end)
 
-						table.insert(xml, [[					</gateways>]]);
-						table.insert(xml, [[					<domains>]]);
+						xml:append([[					</gateways>]]);
+						xml:append([[					<domains>]]);
 
 						--add sip profile domain: name, alias, and parse
-						table.insert(xml, [[						<!-- indicator to parse the directory for domains with parse="true" to get gateways-->]]);
-						table.insert(xml, [[						<!--<domain name="$${domain}" parse="true"/>-->]]);
-						table.insert(xml, [[						<!-- indicator to parse the directory for domains with parse="true" to get gateways and alias every domain to this profile -->]]);
-						table.insert(xml, [[						<!--<domain name="all" alias="true" parse="true"/>-->]]);
+						xml:append([[						<!-- indicator to parse the directory for domains with parse="true" to get gateways-->]]);
+						xml:append([[						<!--<domain name="$${domain}" parse="true"/>-->]]);
+						xml:append([[						<!-- indicator to parse the directory for domains with parse="true" to get gateways and alias every domain to this profile -->]]);
+						xml:append([[						<!--<domain name="all" alias="true" parse="true"/>-->]]);
 						sql = "SELECT sip_profile_domain_name, sip_profile_domain_alias, sip_profile_domain_parse FROM v_sip_profile_domains ";
 						sql = sql .. "WHERE sip_profile_uuid = :sip_profile_uuid";
 						local params = {sip_profile_uuid = sip_profile_uuid};
@@ -241,11 +244,11 @@
 							if (name == nil or name == '') then name = 'false'; end
 							if (alias == nil or alias == '') then alias = 'false'; end
 							if (parse == nil or parse == '') then parse = 'false'; end
-							table.insert(xml, [[						<domain name="]] .. name .. [[" alias="]] .. alias .. [[" parse="]] .. parse .. [["/>]]);
+							xml:append([[						<domain name="]] .. xml.sanitize(name) .. [[" alias="]] .. xml.sanitize(alias) .. [[" parse="]] .. xml.sanitize(parse) .. [["/>]]);
 						end);
 						
-						table.insert(xml, [[					</domains>]]);
-						table.insert(xml, [[					<settings>]]);
+						xml:append([[					</domains>]]);
+						xml:append([[					<settings>]]);
 						profile_tag_status = "open";
 					end
 
@@ -266,7 +269,7 @@
 
 				--set the parameters
 					if (sip_profile_setting_name) then
-						table.insert(xml, [[						<param name="]]..sip_profile_setting_name..[[" value="]]..sip_profile_setting_value..[["/>]]);
+						xml:append([[						<param name="]] .. xml.sanitize(sip_profile_setting_name) .. [[" value="]] .. xml.sanitize(sip_profile_setting_value) .. [["/>]]);
 					end
 
 				--set the previous value
@@ -278,15 +281,15 @@
 
 		--close the extension tag if it was left open
 			if (profile_tag_status == "open") then
-				table.insert(xml, [[					</settings>]]);
-				table.insert(xml, [[				</profile>]]);
+				xml:append([[					</settings>]]);
+				xml:append([[				</profile>]]);
 				profile_tag_status = "close";
 			end
-			table.insert(xml, [[			</profiles>]]);
-			table.insert(xml, [[		</configuration>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[			</profiles>]]);
+			xml:append([[		</configuration>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 			if (debug["xml_string"]) then
 				freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 			end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/translate.conf.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/translate.conf.lua
index f77cfb1f04..b89beb3aa2 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/translate.conf.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/configuration/translate.conf.lua
@@ -24,6 +24,9 @@
 --	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 --	POSSIBILITY OF SUCH DAMAGE.
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --get the cache
 	local cache = require "resources.functions.cache"
 	local translate_cache_key = "configuration:translate.conf"
@@ -60,12 +63,12 @@
 			assert(dbh:connected());
 
 		--start the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="configuration">]]);
-			table.insert(xml, [[		<configuration name="translate.conf" description="Number Translation Rules" autogenerated="true">]]);
-			table.insert(xml, [[			<profiles>]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="configuration">]]);
+			xml:append([[		<configuration name="translate.conf" description="Number Translation Rules" autogenerated="true">]]);
+			xml:append([[			<profiles>]]);
 
 		--run the query
 			sql = "select * from v_number_translations ";
@@ -77,7 +80,7 @@
 			dbh:query(sql, function(row)
 
 				--list open tag
-					table.insert(xml, [[				<profile name="]]..row.number_translation_name..[[" description="]]..row.number_translation_description..[[">]]);
+					xml:append([[				<profile name="]] .. xml.sanitize(row.number_translation_name) .. [[" description="]] .. xml.sanitize(row.number_translation_description) .. [[">]]);
 
 				--get the nodes
 					sql = "select * from v_number_translation_details ";
@@ -90,21 +93,21 @@
 					x = 0;
 					dbh:query(sql, params, function(field)
 						if (string.len(field.number_translation_detail_regex) > 0) then
-							table.insert(xml, [[					<rule regex="]] .. field.number_translation_detail_regex .. [[" replace="]] .. field.number_translation_detail_replace .. [[" />]]);
+							xml:append([[					<rule regex="]] .. xml.sanitize(field.number_translation_detail_regex) .. [[" replace="]] .. xml.sanitize(field.number_translation_detail_replace) .. [[" />]]);
 						end
 					end)
 
 				--list close tag
-					table.insert(xml, [[				</profile>]]);
+					xml:append([[				</profile>]]);
 
 			end)
 
 		--close the extension tag if it was left open
-			table.insert(xml, [[			</profiles>]]);
-			table.insert(xml, [[		</configuration>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[			</profiles>]]);
+			xml:append([[		</configuration>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 			if (debug["xml_string"]) then
 				freeswitch.consoleLog("notice", "[xml_handler] XML_STRING: " .. XML_STRING .. "\n");
 			end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/dialplan/dialplan.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/dialplan/dialplan.lua
index d50551d0e0..30424ce1f2 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/dialplan/dialplan.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/dialplan/dialplan.lua
@@ -28,6 +28,9 @@
 	local cache = require"resources.functions.cache"
 	local log = require"resources.functions.log"["xml_handler"]
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --connect to the database
 	local Database = require "resources.functions.database";
 	dbh = Database.new('system');
@@ -156,11 +159,11 @@
 			hostname = trim(api:execute("hostname", ""));
 
 		--set the xml array and then concatenate the array to a string
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="dialplan" description="">]]);
-			table.insert(xml, [[		<context name="]] .. call_context .. [[" destination_number="]]..destination_number..[[" hostname="]]..hostname..[[">]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="dialplan" description="">]]);
+			xml:append([[		<context name="]] .. xml.sanitize(call_context) .. [[" destination_number="]] .. xml.sanitize(destination_number) .. [[" hostname="]] .. xml.sanitize(hostname) .. [[">]]);
 
 		--get the dialplan xml
 			if (context_name == 'public' and dialplan_mode == 'single') then
@@ -193,19 +196,19 @@
 					if (row.domain_uuid ~= nil) then
 						domain_name = row.domain_name;
 					else
-						table.insert(xml, row.dialplan_xml);
+						xml:append(row.dialplan_xml);
 					end
 					if (row.domain_enabled == true) then
-						table.insert(xml, row.dialplan_xml);
+						xml:append(row.dialplan_xml);
 					end
 				end);
 				if (xml == nil) then
-					table.insert(xml, [[		<extension name="not-found" continue="false" uuid="9913df49-0757-414b-8cf9-bcae2fd81ae7">]]);
-					table.insert(xml, [[			<condition field="" expression="">]]);
-					table.insert(xml, [[				<action application="set" data="call_direction=inbound" inline="true"/>]]);
-					table.insert(xml, [[				<action application="log" data="WARNING [inbound routes] 404 not found ${sip_network_ip}" inline="true"/>]]);
-					table.insert(xml, [[			</condition>]]);
-					table.insert(xml, [[		</extension>]]);
+					xml:append([[		<extension name="not-found" continue="false" uuid="9913df49-0757-414b-8cf9-bcae2fd81ae7">]]);
+					xml:append([[			<condition field="" expression="">]]);
+					xml:append([[				<action application="set" data="call_direction=inbound" inline="true"/>]]);
+					xml:append([[				<action application="log" data="WARNING [inbound routes] 404 not found ${sip_network_ip}" inline="true"/>]]);
+					xml:append([[			</condition>]]);
+					xml:append([[		</extension>]]);
 				end
 			else
 				sql = "select dialplan_xml from v_dialplans as p ";
@@ -222,15 +225,15 @@
 					freeswitch.consoleLog("notice", "[dialplan] SQL: " .. sql .. "; params:" .. json.encode(params) .. "\n");
 				end
 				dbh:query(sql, params, function(row)
-					table.insert(xml, row.dialplan_xml);
+					xml:append(row.dialplan_xml);
 				end);
 			end
 
 		--set the xml array and then concatenate the array to a string
-			table.insert(xml, [[		</context>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[		</context>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 
 		--close the database connection
 			dbh:release();
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/acl.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/acl.lua
index 0d9de9351f..b183a2b38b 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/acl.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/acl.lua
@@ -10,10 +10,10 @@
 	end
 
 --build the xml
-	local xml = {}
-	table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]])
-	table.insert(xml, [[<document type="freeswitch/xml">]])
-	table.insert(xml, [[	<section name="directory">]])
+	local xml = Xml:new();
+	xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]])
+	xml:append([[<document type="freeswitch/xml">]])
+	xml:append([[	<section name="directory">]])
 
 --process when the sip profile is rescanned, sofia is reloaded, or sip redirect
 	local sql = "SELECT * FROM v_domains as d, v_extensions as e "
@@ -34,33 +34,33 @@
 	dbh:query(sql, params, function(row)
 		if prev_domain_name ~= row.domain_name then
 			if prev_domain_name then
-				table.insert(xml, [[					</users>]])
-				table.insert(xml, [[				</group>]])
-				table.insert(xml, [[			</groups>]])
-				table.insert(xml, [[		</domain>]])
+				xml:append([[					</users>]])
+				xml:append([[				</group>]])
+				xml:append([[			</groups>]])
+				xml:append([[		</domain>]])
 			end
 			prev_domain_name = row.domain_name
-			table.insert(xml, [[		<domain name="]] .. row.domain_name .. [[" alias="true">]])
-			table.insert(xml, [[			<groups>]])
-			table.insert(xml, [[				<group name="default">]])
-			table.insert(xml, [[					<users>]])
+			xml:append([[		<domain name="]] .. xml.sanitize(row.domain_name) .. [[" alias="true">]])
+			xml:append([[			<groups>]])
+			xml:append([[				<group name="default">]])
+			xml:append([[					<users>]])
 		end
 
-		local cidr = (#row.cidr > 0) and (' cidr="' .. row.cidr .. '"') or ''
-		table.insert(xml, [[						<user id="]] .. row.extension .. [["]] .. cidr .. [[/>]])
+		local cidr = (#row.cidr > 0) and (' cidr="' .. xml.sanitize(row.cidr) .. '"') or ''
+		xml:append([[						<user id="]] .. xml.sanitize(row.extension) .. [["]] .. cidr .. [[/>]])
 	end)
 
 	if prev_domain_name then
-		table.insert(xml, [[					</users>]])
-		table.insert(xml, [[				</group>]])
-		table.insert(xml, [[			</groups>]])
-		table.insert(xml, [[		</domain>]])
+		xml:append([[					</users>]])
+		xml:append([[				</group>]])
+		xml:append([[			</groups>]])
+		xml:append([[		</domain>]])
 	end
 
-	table.insert(xml, [[	</section>]])
-	table.insert(xml, [[</document>]])
+	xml:append([[	</section>]])
+	xml:append([[</document>]])
+	XML_STRING = xml:build();
 
-	XML_STRING = table.concat(xml, "\n")
 	if (debug["xml_string"]) then
 		log.notice("XML_STRING "..XML_STRING)
 	end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/directory.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/directory.lua
index c450859b84..ae30827c5f 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/directory.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/directory.lua
@@ -11,10 +11,10 @@
 	end
 
 --build the xml
-	local xml = {}
-	table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]])
-	table.insert(xml, [[<document type="freeswitch/xml">]])
-	table.insert(xml, [[	<section name="directory">]])
+	local xml = Xml:new();
+	xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]])
+	xml:append([[<document type="freeswitch/xml">]])
+	xml:append([[	<section name="directory">]])
 
 --process when the sip profile is rescanned, sofia is reloaded, or sip redirect
 	local sql = "SELECT * FROM v_domains as d, v_extensions as e "
@@ -48,54 +48,54 @@
 	dbh:query(sql, sql_params, function(row)
 		if prev_domain_name ~= row.domain_name then
 			if prev_domain_name then
-				table.insert(xml, [[					</users>]])
-				table.insert(xml, [[				</group>]])
-				table.insert(xml, [[			</groups>]])
-				table.insert(xml, [[		</domain>]])
+				xml:append([[					</users>]])
+				xml:append([[				</group>]])
+				xml:append([[			</groups>]])
+				xml:append([[		</domain>]])
 			end
 			prev_domain_name = row.domain_name
-			table.insert(xml, [[		<domain name="]] .. row.domain_name .. [[" alias="true">]])
-			table.insert(xml, [[			<groups>]])
-			table.insert(xml, [[				<group name="default">]])
-			table.insert(xml, [[					<users>]])
+			xml:append([[		<domain name="]] .. xml.sanitize(row.domain_name) .. [[" alias="true">]])
+			xml:append([[			<groups>]])
+			xml:append([[				<group name="default">]])
+			xml:append([[					<users>]])
 		end
 
 		row.sip_from_user   = row.extension
 		row.sip_from_number = (#number_alias > 0) and number_alias or row.extension
 		local number_alias_string = ''
 		if #row.number_alias > 0 then
-			number_alias_string = ' number-alias="' .. row.number_alias .. '"'
+			number_alias_string = ' number-alias="' .. xml.sanitize(row.number_alias) .. '"'
 		end
 
-		table.insert(xml, [[						<user id="]] .. row.extension .. [["]] .. number_alias_string .. [[>]]);
-		table.insert(xml, [[							<params>]])
+		xml:append([[						<user id="]] .. xml.sanitize(row.extension) .. [["]] .. number_alias_string .. [[>]]);
+		xml:append([[							<params>]])
 		for name, param in pairs(params) do
 			if row[name] and #row[name] > 0 then
-				table.insert(xml, [[								<param name="]] .. param .. [[" value="]] .. row[name] .. [["/>]])
+				xml:append([[								<param name="]] .. xml.sanitize(param) .. [[" value="]] .. xml.sanitize(row[name]) .. [["/>]])
 			end
 		end
-		table.insert(xml, [[							</params>]])
-		table.insert(xml, [[							<variables>]])
+		xml:append([[							</params>]])
+		xml:append([[							<variables>]])
 		for name, param in pairs(variables) do
 			if row[name] and #row[name] > 0 then
-				table.insert(xml, [[								<variable name="]] .. param .. [[" value="]] .. row[name] .. [["/>]])
+				xml:append([[								<variable name="]] .. xml.sanitize(param) .. [[" value="]] .. xml.sanitize(row[name]) .. [["/>]])
 			end
 		end
-		table.insert(xml, [[							</variables>]])
-		table.insert(xml, [[						</user>]])
+		xml:append([[							</variables>]])
+		xml:append([[						</user>]])
 	end)
 
 	if prev_domain_name then
-		table.insert(xml, [[					</users>]])
-		table.insert(xml, [[				</group>]])
-		table.insert(xml, [[			</groups>]])
-		table.insert(xml, [[		</domain>]])
+		xml:append([[					</users>]])
+		xml:append([[				</group>]])
+		xml:append([[			</groups>]])
+		xml:append([[		</domain>]])
 	end
 
-	table.insert(xml, [[	</section>]])
-	table.insert(xml, [[</document>]])
+	xml:append([[	</section>]])
+	xml:append([[</document>]])
+	XML_STRING = xml:build();
 
-	XML_STRING = table.concat(xml, "\n")
 	if (debug["xml_string"]) then
 		log.notice("XML_STRING "..XML_STRING)
 	end
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/domains.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/domains.lua
index e68a2a1f9a..48aa60304c 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/domains.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/domains.lua
@@ -24,6 +24,9 @@
 --	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 --	POSSIBILITY OF SUCH DAMAGE.
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --connect to the database
 	local Database = require "resources.functions.database";
 	dbh = Database.new('system');
@@ -32,17 +35,17 @@
 	assert(dbh:connected());
 
 --process when the sip profile is rescanned, sofia is reloaded, or sip redirect
-	local xml = {}
-	table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-	table.insert(xml, [[<document type="freeswitch/xml">]]);
-	table.insert(xml, [[	<section name="directory">]]);
+	local xml = Xml:new();
+	xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+	xml:append([[<document type="freeswitch/xml">]]);
+	xml:append([[	<section name="directory">]]);
 	local sql = "SELECT domain_name FROM v_domains ";
 	dbh:query(sql, function(row)
-		table.insert(xml, [[		<domain name="]]..row.domain_name..[[" />]]);
+		xml:append([[		<domain name="]] .. xml.sanitize(row.domain_name) .. [[" />]]);
 	end);
-	table.insert(xml, [[	</section>]]);
-	table.insert(xml, [[</document>]]);
-	XML_STRING = table.concat(xml, "\n");
+	xml:append([[	</section>]]);
+	xml:append([[</document>]]);
+	XML_STRING = xml:build();
 
 --close the database connection
 	dbh:release();
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/group_call.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/group_call.lua
index 384765f568..8a9f6a8676 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/group_call.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/group_call.lua
@@ -101,12 +101,12 @@
 			--end
 
 		--build the xml array
-			local xml = {}
-			table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-			table.insert(xml, [[<document type="freeswitch/xml">]]);
-			table.insert(xml, [[	<section name="directory">]]);
-			table.insert(xml, [[		<domain name="]] .. domain_name .. [[">]]);
-			table.insert(xml, [[		<groups>]]);
+			local xml = Xml:new();
+			xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+			xml:append([[<document type="freeswitch/xml">]]);
+			xml:append([[	<section name="directory">]]);
+			xml:append([[		<domain name="]] .. xml.sanitize(domain_name) .. [[">]]);
+			xml:append([[		<groups>]]);
 			previous_call_group = "";
 			for key, value in pairs(call_group_array) do
 				call_group = trim(key);
@@ -115,23 +115,23 @@
 					freeswitch.consoleLog("notice", "[directory] call_group: " .. call_group .. "\n");
 					freeswitch.consoleLog("notice", "[directory] extension_list: " .. extension_list .. "\n");
 					if (previous_call_group ~= call_group) then
-						table.insert(xml, [[			<group name="]]..call_group..[[">]]);
-						table.insert(xml, [[				<users>]]);
+						xml:append([[			<group name="]] .. xml.sanitize(call_group) .. [[">]]);
+						xml:append([[				<users>]]);
 						extension_array = explode(",", extension_list);
 						for index,tmp_extension in pairs(extension_array) do
-								table.insert(xml, [[					<user id="]]..tmp_extension..[[" type="pointer"/>]]);
+							xml:append([[					<user id="]] .. xml.sanitize(tmp_extension) .. [[" type="pointer"/>]]);
 						end
-						table.insert(xml, [[				</users>]]);
-						table.insert(xml, [[			</group>]]);
+						xml:append([[				</users>]]);
+						xml:append([[			</group>]]);
 					end
 					previous_call_group = call_group;
 				end
 			end
-			table.insert(xml, [[		</groups>]]);
-			table.insert(xml, [[		</domain>]]);
-			table.insert(xml, [[	</section>]]);
-			table.insert(xml, [[</document>]]);
-			XML_STRING = table.concat(xml, "\n");
+			xml:append([[		</groups>]]);
+			xml:append([[		</domain>]]);
+			xml:append([[	</section>]]);
+			xml:append([[</document>]]);
+			XML_STRING = xml:build();
 
 		--close the database connection
 			dbh:release();
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/reverse-auth-lookup.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/reverse-auth-lookup.lua
index a9853bd145..a29b931bce 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/reverse-auth-lookup.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/action/reverse-auth-lookup.lua
@@ -46,6 +46,7 @@
 
 --exits the script if we didn't connect properly
 	assert(dbh:connected());
+
 --get the domain_uuid
 	if (domain_uuid == nil) then
 		if (domain_name ~= nil) then
@@ -90,21 +91,21 @@
 
 --build the xml
 	if (domain_name ~= nil and extension ~= nil and password ~= nil) then
-		local xml = {}
-		--table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-		table.insert(xml, [[<document type="freeswitch/xml">]]);
-		table.insert(xml, [[	<section name="directory">]]);
-		table.insert(xml, [[		<domain name="]] .. domain_name .. [[" alias="true">]]);
-		table.insert(xml, [[			<user id="]] .. extension .. [["]] .. number_alias .. [[>]]);
-		table.insert(xml, [[				<params>]]);
-		table.insert(xml, [[					<param name="reverse-auth-user" value="]] .. extension .. [["/>]]);
-		table.insert(xml, [[					<param name="reverse-auth-pass" value="]] .. password .. [["/>]]);
-		table.insert(xml, [[				</params>]]);
-		table.insert(xml, [[			</user>]]);
-		table.insert(xml, [[		</domain>]]);
-		table.insert(xml, [[	</section>]]);
-		table.insert(xml, [[</document>]]);
-		XML_STRING = table.concat(xml, "\n");
+		local xml = Xml:new();
+		--xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+		xml:append([[<document type="freeswitch/xml">]]);
+		xml:append([[	<section name="directory">]]);
+		xml:append([[		<domain name="]] .. xml.sanitize(domain_name) .. [[" alias="true">]]);
+		xml:append([[			<user id="]] .. xml.sanitize(extension) .. [["]] .. xml.sanitize(number_alias) .. [[>]]);
+		xml:append([[				<params>]]);
+		xml:append([[					<param name="reverse-auth-user" value="]] .. xml.sanitize(extension) .. [["/>]]);
+		xml:append([[					<param name="reverse-auth-pass" value="]] .. xml.sanitize(password) .. [["/>]]);
+		xml:append([[				</params>]]);
+		xml:append([[			</user>]]);
+		xml:append([[		</domain>]]);
+		xml:append([[	</section>]]);
+		xml:append([[</document>]]);
+		XML_STRING = xml:build();
 	end
 
 --close the database connection
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
index 224b0de430..78f59fd2bf 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
@@ -52,6 +52,7 @@ continue = true;
 		json = require "resources.functions.lunajson"
 	end
 
+--include xml library
 	local Xml = require "resources.functions.xml";
 
 --include cache library
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/languages/languages.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/languages/languages.lua
index 0480236847..5775820290 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/languages/languages.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/languages/languages.lua
@@ -30,6 +30,9 @@
 --general functions
 	require "resources.functions.is_uuid";
 
+--include xml library
+	local Xml = require "resources.functions.xml";
+
 --set the default
 	continue = true;
 
@@ -96,15 +99,15 @@
 				-- if macro_name is a uuid get from the phrase details
 					if (is_uuid(macro_name)) then
 						--define the xml table
-							local xml = {}
+							local xml = Xml:new();
 
 						--get the xml
-							table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-							table.insert(xml, [[<document type="freeswitch/xml">]]);
-							table.insert(xml, [[	<section name="languages">]]);
-							table.insert(xml, [[		<language name="]]..language..[[" say-module="]]..language..[[" sound-prefix="]]..sounds_dir..[[/]]..language..[[/us/callie" tts-engine="cepstral" tts-voice="callie">]]);
-							table.insert(xml, [[			<phrases>]]);
-							table.insert(xml, [[				<macros>]]);
+							xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+							xml:append([[<document type="freeswitch/xml">]]);
+							xml:append([[	<section name="languages">]]);
+							xml:append([[		<language name="]] .. xml.sanitize(language) .. [[" say-module="]] .. xml.sanitize(language) .. [[" sound-prefix="]] .. xml.sanitize(sounds_dir) .. [[/]] .. xml.sanitize(language) .. [[/us/callie" tts-engine="cepstral" tts-voice="callie">]]);
+							xml:append([[			<phrases>]]);
+							xml:append([[				<macros>]]);
 
 							local sql = "SELECT * FROM v_phrases as p, v_phrase_details as d ";
 							sql = sql .. "WHERE d.domain_uuid = :domain_uuid ";
@@ -128,32 +131,32 @@
 								--phrase_detail_type,phrase_detail_order
 								if (previous_phrase_uuid ~= row.phrase_uuid) then
 									if (x > 0) then
-										table.insert(xml, [[							</match>]]);
-										table.insert(xml, [[						</input>]]);
-										table.insert(xml, [[					</macro>]]);
+										xml:append([[							</match>]]);
+										xml:append([[						</input>]]);
+										xml:append([[					</macro>]]);
 									end
-									table.insert(xml, [[					<macro name="]]..row.phrase_uuid..[[">]]);
-									table.insert(xml, [[						<input pattern=\"(.*)\">]]);
-									table.insert(xml, [[							<match>]]);
+									xml:append([[					<macro name="]] .. xml.sanitize(row.phrase_uuid) .. [[">]]);
+									xml:append([[						<input pattern=\"(.*)\">]]);
+									xml:append([[							<match>]]);
 									match_open_tag = true
 								end
-								table.insert(xml, [[								<action function="]]..row.phrase_detail_function..[[" data="]]..row.phrase_detail_data..[["/>]]);
+								xml:append([[								<action function="]] .. xml.sanitize(row.phrase_detail_function) .. [[" data="]] .. xml.sanitize(row.phrase_detail_data) .. [["/>]]);
 								previous_phrase_uuid = row.phrase_uuid;
 								x = x + 1;
 							end);
 							if (x > 0) then
-								table.insert(xml, [[							</match>]]);
-								table.insert(xml, [[						</input>]]);
-								table.insert(xml, [[					</macro>]]);
+								xml:append([[							</match>]]);
+								xml:append([[						</input>]]);
+								xml:append([[					</macro>]]);
 							end
-							table.insert(xml, [[				</macros>]]);
+							xml:append([[				</macros>]]);
 
 						--output xml & close previous file
-							table.insert(xml, [[			</phrases>]]);
-							table.insert(xml, [[		</language>]]);
-							table.insert(xml, [[	</section>]]);
-							table.insert(xml, [[</document>]]);
-							XML_STRING = table.concat(xml, "\n");
+							xml:append([[			</phrases>]]);
+							xml:append([[		</language>]]);
+							xml:append([[	</section>]]);
+							xml:append([[</document>]]);
+							XML_STRING = xml:build();
 					end
 
 				--log to the console