diff --git a/core/default_settings/default_settings.php b/core/default_settings/default_settings.php index e457d081fb..6f9f58f06b 100644 --- a/core/default_settings/default_settings.php +++ b/core/default_settings/default_settings.php @@ -17,22 +17,26 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2016 + Portions created by the Initial Developer are Copyright (C) 2008-2018 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane */ -require_once "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('default_setting_view')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + require_once "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + +//check permissions + if (permission_exists('default_setting_view')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; @@ -54,7 +58,7 @@ else { unset($sql); messages::add($text['message-update']); - header("Location: default_settings.php".(($search != '') ? "?search=".$search : null)."#anchor_".$category); + header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null)."#anchor_".escape($category)); exit; } @@ -163,14 +167,14 @@ else { } // foreach // set message - $_SESSION["message"] = $text['message-copy'].": ".$settings_copied; + $_SESSION["message"] = $text['message-copy'].": ".escape($settings_copied); } else { // set message messages::add($text['message-copy_failed']); } - header("Location: default_settings.php".(($search != '') ? "?search=".$search : null)); + header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null)); exit; } @@ -193,7 +197,7 @@ else { messages::add($text['message-delete_failed'], 'negative'); } - header("Location: default_settings.php".(($search != '') ? "?search=".$search : null)); + header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null)); exit; } } // post @@ -272,14 +276,14 @@ else { echo " ".$text['description-default_settings']; echo " \n"; echo " "; - echo " \n"; + echo " \n"; if (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) { echo " "; echo " "; echo " \n"; echo " "; @@ -344,22 +348,22 @@ else { echo ""; echo ""; } - echo "
"; - echo ""; + echo "
"; + echo ""; echo ""; switch (strtolower($row['default_setting_category'])) { case "api" : echo "API"; break; case "cdr" : echo "CDR"; break; case "ldap" : echo "LDAP"; break; case "ivr menu" : echo "IVR Menu"; break; - default: echo ucwords(str_replace("_", " ", $row['default_setting_category'])); + default: echo ucwords(str_replace("_", " ", escape($row['default_setting_category']))); } echo "\n"; echo "\n"; echo "\n"; if ( (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) || permission_exists('default_setting_delete') ) { - echo ""; + echo ""; } echo ""; echo ""; @@ -377,21 +381,21 @@ else { echo "\n"; } - $tr_link = (permission_exists('default_setting_edit')) ? "href=\"javascript:document.location.href='default_setting_edit.php?id=".$row['default_setting_uuid']."&search='+$('#default_setting_search').val();\"" : null; + $tr_link = (permission_exists('default_setting_edit')) ? "href=\"javascript:document.location.href='default_setting_edit.php?id=".escape($row['default_setting_uuid'])."&search='+$('#default_setting_search').val();\"" : null; echo "\n"; if ( (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) || permission_exists("default_setting_delete") ) { - echo " \n"; + echo " \n"; $subcat_ids[strtolower($row['default_setting_category'])][] = 'checkbox_'.$row['default_setting_uuid']; } echo " \n"; - echo " \n"; + echo " \n"; echo " \n"; echo " \n"; - echo " \n"; + echo " \n"; echo " \n"; echo "\n"; @@ -490,9 +494,9 @@ else { echo "
".$text['label-subcategory']."".$text['label-type']."
"; if (permission_exists('default_setting_edit')) { - echo "".$row['default_setting_subcategory'].""; + echo "".escape($row['default_setting_subcategory']).""; } else { echo $row['default_setting_subcategory']; } echo " ".$row['default_setting_name']." ".escape($row['default_setting_name'])." \n"; $category = $row['default_setting_category']; @@ -432,29 +436,29 @@ else { } else { if ($category == "theme" && substr_count($subcategory, "_color") > 0 && ($name == "text" || $name == 'array')) { - echo " ".(img_spacer('15px', '15px', 'background: '.$row['default_setting_value'].'; margin-right: 4px; vertical-align: middle; border: 1px solid '.(color_adjust($row['default_setting_value'], -0.18)).'; padding: -1px;')); - echo "".htmlspecialchars($row['default_setting_value'])."\n"; + echo " ".(img_spacer('15px', '15px', 'background: '.escape($row['default_setting_value']).'; margin-right: 4px; vertical-align: middle; border: 1px solid '.(color_adjust($row['default_setting_value'], -0.18)).'; padding: -1px;')); + echo "".escape($row['default_setting_value'])."\n"; } else { - echo " ".htmlspecialchars($row['default_setting_value'])."\n"; + echo " ".escape($row['default_setting_value'])."\n"; } } echo " \n"; if (permission_exists('default_setting_edit')) { - echo " ".$text['label-'.$row['default_setting_enabled']]."\n"; + echo " ".$text['label-'.$row['default_setting_enabled']]."\n"; } else { echo " ".$text['label-'.$row['default_setting_enabled']]."\n"; } echo " ".$row['default_setting_description']." ".escape($row['default_setting_description'])." "; if (permission_exists('default_setting_edit')) { - echo "$v_link_label_edit"; + echo "$v_link_label_edit"; } if (permission_exists('default_setting_delete')) { - echo "$v_link_label_delete"; + echo "$v_link_label_delete"; } echo "