From 7dc5338e4d2a86fbbeea5718e87779dd94e11602 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Sat, 2 Jun 2018 21:51:31 -0600
Subject: [PATCH] Update devices.php

---
 app/devices/devices.php | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/app/devices/devices.php b/app/devices/devices.php
index 8a4d17d3fd..93259b5f1d 100644
--- a/app/devices/devices.php
+++ b/app/devices/devices.php
@@ -204,7 +204,7 @@
 	if (permission_exists('device_export')) {
 		echo "			<input type='button' class='btn' value='".$text['button-export']."' onclick=\"window.location.href='device_download.php'\">\n";
 	}
-	echo "			<input type='text' class='txt' style='width: 150px; margin-left: 15px;' name='search' value='".$search."'>\n";
+	echo "			<input type='text' class='txt' style='width: 150px; margin-left: 15px;' name='search' value='".escape($search)."'>\n";
 	echo "			<input type='submit' class='btn' name='submit' value='".$text['button-search']."'>\n";
 	echo "			</form>\n";
 	echo "		</td>\n";
@@ -249,7 +249,7 @@
 	echo "</td>\n";
 	echo "<tr>\n";
 
-	if (count($devices) > 0) {
+	if (is_array($devices)) {
 		foreach($devices as $row) {
 
 			$device_profile_name = '';
@@ -259,28 +259,28 @@
 				}
 			}
 
-			$tr_link = (permission_exists('device_edit')) ? "href='device_edit.php?id=".$row['device_uuid']."'" : null;
+			$tr_link = (permission_exists('device_edit')) ? "href='device_edit.php?id=".escape($row['device_uuid'])."'" : null;
 			echo "<tr ".$tr_link.">\n";
 			if ($_GET['show'] == "all" && permission_exists('device_all')) {
-				echo "	<td valign='top' class='".$row_style[$c]."'>".$_SESSION['domains'][$row['domain_uuid']]['domain_name']."</td>\n";
+				echo "	<td valign='top' class='".$row_style[$c]."'>".escape($_SESSION['domains'][$row['domain_uuid']]['domain_name'])."</td>\n";
 			}
 			echo "	<td valign='top' class='".$row_style[$c]."'>\n";
-			echo (permission_exists('device_edit')) ? "<a href='device_edit.php?id=".$row['device_uuid']."'>".format_mac($row['device_mac_address'])."</a>" : format_mac($row['device_mac_address']);
+			echo (permission_exists('device_edit')) ? "<a href='device_edit.php?id=".escape($row['device_uuid'])."'>".format_mac(escape($row['device_mac_address']))."</a>" : format_mac(escape($row['device_mac_address']));
 			echo "	</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['device_label']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['device_label'])."&nbsp;</td>\n";
 			if ($device_alternate) {
 				echo "	<td valign='top' class='".$row_style[$c]."'>\n";
 				if (strlen($row['device_uuid_alternate']) > 0) {
-					echo "		<a href='device_edit.php?id=".$row['device_uuid_alternate']."' alt=''>".$row['alternate_label']."</a>\n";
+					echo "		<a href='device_edit.php?id=".escape($row['device_uuid_alternate'])."' alt=''>".escape($row['alternate_label'])."</a>\n";
 				}
 				echo "	</td>\n";
 			}
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['device_vendor']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['device_template']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$device_profile_name."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-'.$row['device_enabled']]."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['device_provisioned_date']." - ".$row['device_provisioned_method']." - <a href='http://".$row['device_provisioned_ip']."' target='_blank'>".$row['device_provisioned_ip']."</a>&nbsp;</td>\n";
-			echo "	<td valign='top' class='row_stylebg'>".$row['device_description']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['device_vendor'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['device_template'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($device_profile_name)."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-'.escape($row['device_enabled'])]."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['device_provisioned_date'])." - ".escape($row['device_provisioned_method'])." - <a href='http://".escape($row['device_provisioned_ip'])."' target='_blank'>".escape($row['device_provisioned_ip'])."</a>&nbsp;</td>\n";
+			echo "	<td valign='top' class='row_stylebg'>".escape($row['device_description'])."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons'>\n";
 			if (permission_exists('device_edit')) {
 				echo "<a href='device_edit.php?id=".$row['device_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";