From 2e29cebf39146412d31ea09aa097d23f3f53ca72 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Tue, 5 Jun 2018 18:46:51 -0600
Subject: [PATCH] Update voicemails.php

---
 app/voicemails/voicemails.php | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/app/voicemails/voicemails.php b/app/voicemails/voicemails.php
index 9e069316f5..bb3f96eb1b 100644
--- a/app/voicemails/voicemails.php
+++ b/app/voicemails/voicemails.php
@@ -148,7 +148,7 @@
 	echo "		</td>\n";
 	echo "			<td width='30%' align='right' valign='top'>\n";
 	echo "				<form method='get' action=''>\n";
-	echo "				<input type='text' class='txt' style='width: 150px' name='search' id='search' value='".$search."'>";
+	echo "				<input type='text' class='txt' style='width: 150px' name='search' id='search' value='".escape($search)."'>";
 	echo "				<input type='submit' class='btn' name='submit' value='".$text['button-search']."'>";
 	echo "				</form>\n";
 	echo "			</td>\n";
@@ -186,28 +186,28 @@
 	if ($num_rows > 0) {
 
 		foreach($voicemails as $row) {
-			$tr_link = (permission_exists('voicemail_edit')) ? "href='voicemail_edit.php?id=".$row['voicemail_uuid']."'" : null;
+			$tr_link = (permission_exists('voicemail_edit')) ? "href='voicemail_edit.php?id=".escape($row['voicemail_uuid'])."'" : null;
 			echo "<tr ".$tr_link.">\n";
 			if (permission_exists('voicemail_delete')) {
 				echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='text-align: center; vertical-align: middle; padding: 0px;'>";
-				echo "		<input type='checkbox' name='id[]' id='checkbox_".$row['voicemail_uuid']."' value='".$row['voicemail_uuid']."' onclick=\"if (!this.checked) { document.getElementById('chk_all').checked = false; }\">";
+				echo "		<input type='checkbox' name='id[]' id='checkbox_".escape($row['voicemail_uuid'])."' value='".escape($row['voicemail_uuid'])."' onclick=\"if (!this.checked) { document.getElementById('chk_all').checked = false; }\">";
 				echo "	</td>";
 				$vm_ids[] = 'checkbox_'.$row['voicemail_uuid'];
 			}
 			echo "	<td valign='top' class='".$row_style[$c]."'>";
 			if (permission_exists('voicemail_edit')) {
-				echo "<a href='voicemail_edit.php?id=".$row['voicemail_uuid']."'>".$row['voicemail_id']."</a>";
+				echo "<a href='voicemail_edit.php?id=".escape($row['voicemail_uuid'])."'>".escape($row['voicemail_id'])."</a>";
 			}
 			else {
-				echo $row['voicemail_id'];
+				echo escape($row['voicemail_id']);
 			}
 			echo "	</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['voicemail_mail_to']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['voicemail_mail_to'])."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".(($row['voicemail_file'] == 'attach') ? $text['label-true'] : $text['label-false'])."</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".ucwords($row['voicemail_local_after_email'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".ucwords(escape($row['voicemail_local_after_email']))."&nbsp;</td>\n";
 			echo "	<td valign='middle' class='".$row_style[$c]."' style='white-space: nowrap;'>\n";
 			if (permission_exists('voicemail_message_view')) {
-				echo "		<a href='voicemail_messages.php?id=".$row['voicemail_uuid']."'>".$text['label-messages']."</a>&nbsp;&nbsp;\n";
+				echo "		<a href='voicemail_messages.php?id=".escape($row['voicemail_uuid'])."'>".$text['label-messages']."</a>&nbsp;&nbsp;\n";
 			}
 			if (permission_exists('voicemail_greeting_view')) {
 				echo "		<a href='".PROJECT_PATH."/app/voicemail_greetings/voicemail_greetings.php?id=".$row['voicemail_id']."&back=".urlencode($_SERVER["REQUEST_URI"])."'>".$text['label-greetings']."</a>\n";
@@ -218,10 +218,10 @@
 			if (permission_exists('voicemail_edit') || permission_exists('voicemail_delete')) {
 				echo "	<td class='list_control_icons' style='width: 25px;'>";
 				if (permission_exists('voicemail_edit')) {
-					echo "<a href='voicemail_edit.php?id=".$row['voicemail_uuid']."' alt='".$text['button-edit']."'>".$v_link_label_edit."</a>";
+					echo "<a href='voicemail_edit.php?id=".escape($row['voicemail_uuid'])."' alt='".$text['button-edit']."'>".$v_link_label_edit."</a>";
 				}
 				if (permission_exists('voicemail_delete')) {
-					echo "<a href='voicemail_delete.php?id[]=".$row['voicemail_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
+					echo "<a href='voicemail_delete.php?id[]=".escape($row['voicemail_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
 				}
 				echo "	</td>\n";
 			}
@@ -276,4 +276,5 @@
 
 //include the footer
 	require_once "resources/footer.php";
+
 ?>