diff --git a/app/contacts/contact_relations.php b/app/contacts/contact_relations.php
index b91d0b75d7..df45e1d629 100644
--- a/app/contacts/contact_relations.php
+++ b/app/contacts/contact_relations.php
@@ -17,22 +17,56 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2018
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
 	Mark J Crane <markjcrane@fusionpbx.com>
 */
-require_once "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('contact_relation_view')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	require_once "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('contact_relation_view')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
+
+//get the related contacts
+	$sql = "select ";
+	$sql .= "cr.contact_relation_uuid, ";
+	$sql .= "cr.relation_label, ";
+	$sql .= "c.contact_uuid, ";
+	$sql .= "c.contact_organization, ";
+	$sql .= "c.contact_name_given, ";
+	$sql .= "c.contact_name_family ";
+	$sql .= "from ";
+	$sql .= "v_contact_relations as cr, ";
+	$sql .= "v_contacts as c ";
+	$sql .= "where ";
+	$sql .= "cr.relation_contact_uuid = c.contact_uuid ";
+	$sql .= "and cr.domain_uuid = '".$_SESSION['domain_uuid']."' ";
+	$sql .= "and cr.contact_uuid = '".$contact_uuid."' ";
+	$sql .= "order by ";
+	$sql .= "c.contact_organization desc, ";
+	$sql .= "c.contact_name_given asc, ";
+	$sql .= "c.contact_name_family asc ";
+	//echo $sql."<br><br>";
+	$prep_statement = $db->prepare(check_sql($sql));
+	$prep_statement->execute();
+	$contact_relations = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	unset ($prep_statement, $sql);
+
+//set the row style
+	$c = 0;
+	$row_style["0"] = "row_style0";
+	$row_style["1"] = "row_style1";
 
 //show the content
 	echo "<table width='100%' border='0'>\n";
@@ -42,38 +76,8 @@ else {
 	echo "</tr>\n";
 	echo "</table>\n";
 
-	//get the related contacts
-		$sql = "select ";
-		$sql .= "cr.contact_relation_uuid, ";
-		$sql .= "cr.relation_label, ";
-		$sql .= "c.contact_uuid, ";
-		$sql .= "c.contact_organization, ";
-		$sql .= "c.contact_name_given, ";
-		$sql .= "c.contact_name_family ";
-		$sql .= "from ";
-		$sql .= "v_contact_relations as cr, ";
-		$sql .= "v_contacts as c ";
-		$sql .= "where ";
-		$sql .= "cr.relation_contact_uuid = c.contact_uuid ";
-		$sql .= "and cr.domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "and cr.contact_uuid = '".$contact_uuid."' ";
-		$sql .= "order by ";
-		$sql .= "c.contact_organization desc, ";
-		$sql .= "c.contact_name_given asc, ";
-		$sql .= "c.contact_name_family asc ";
-		//echo $sql."<br><br>";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		$result_count = count($result);
-		unset ($prep_statement, $sql);
-
-	$c = 0;
-	$row_style["0"] = "row_style0";
-	$row_style["1"] = "row_style1";
-
+//show the relations
 	echo "<table class='tr_hover' style='margin-bottom: 20px;' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
-
 	echo "<tr>\n";
 	echo "<th>".$text['label-contact_relation_label']."</th>\n";
 	echo "<th>".$text['label-contact_relation_organization']."</th>\n";
@@ -85,29 +89,29 @@ else {
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if ($result_count > 0) {
-		foreach($result as $row) {
+	if (is_array($contact_relations)) {
+		foreach($contact_relations as $row) {
 			if (permission_exists('contact_relation_edit')) {
-				$tr_link = "href='contact_relation_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_relation_uuid']."' ";
+				$tr_link = "href='contact_relation_edit.php?contact_uuid=".escape($row['contact_uuid'])."&id=".escape($row['contact_relation_uuid'])."' ";
 			}
 			echo "<tr ".$tr_link.">\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['relation_label']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void'><a href='contact_edit.php?id=".$row['contact_uuid']."'>".$row['contact_organization']."</a>&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void'><a href='contact_edit.php?id=".$row['contact_uuid']."'>".$row['contact_name_given'].(($row['contact_name_given'] != '' && $row['contact_name_family'] != '') ? ' ' : null).$row['contact_name_family']."</a>&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['relation_label'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void'><a href='contact_edit.php?id=".escape($row['contact_uuid'])."'>".escape($row['contact_organization'])."</a>&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void'><a href='contact_edit.php?id=".escape($row['contact_uuid'])."'>".escape($row['contact_name_given']).(($row['contact_name_given'] != '' && $row['contact_name_family'] != '') ? ' ' : null).escape($row['contact_name_family'])."</a>&nbsp;</td>\n";
 			echo "	<td class='list_control_icons'>";
 			if (permission_exists('contact_relation_edit')) {
-				echo "<a href='contact_relation_edit.php?contact_uuid=".$contact_uuid."&id=".$row['contact_relation_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+				echo "<a href='contact_relation_edit.php?contact_uuid=".$contact_uuid."&id=".escape($row['contact_relation_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 			}
 			if (permission_exists('contact_relation_delete')) {
-				echo "<a href='contact_relation_delete.php?contact_uuid=".$contact_uuid."&id=".$row['contact_relation_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo "<a href='contact_relation_delete.php?contact_uuid=".$contact_uuid."&id=".escape($row['contact_relation_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";
 			$c = ($c) ? 0 : 1;
 		} //end foreach
-		unset($sql, $result, $row_count);
+		unset($sql, $contact_relations);
 	} //end if results
 
 	echo "</table>";
 
-?>
\ No newline at end of file
+?>