From 8a744da3279abcd2684f787eddc8ce88bf4a7ca4 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Wed, 4 Jul 2018 12:01:09 -0600
Subject: [PATCH] Update sip_profiles.php

---
 app/sip_profiles/sip_profiles.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/sip_profiles/sip_profiles.php b/app/sip_profiles/sip_profiles.php
index fe880bab52..80aa5cdf5a 100644
--- a/app/sip_profiles/sip_profiles.php
+++ b/app/sip_profiles/sip_profiles.php
@@ -93,8 +93,12 @@
 	$prep_statement = $db->prepare(check_sql($sql));
 	$prep_statement->execute();
 	$sip_profiles = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	foreach ($sip_profiles as &$row) { $row = array_map("escape", $row); }
 	unset ($prep_statement, $sql);
 
+//escape the search
+	$search = escape($search);
+
 //alternate the row style
 	$c = 0;
 	$row_style["0"] = "row_style0";
@@ -106,7 +110,7 @@
 	echo "		<td width='50%' align='left' nowrap='nowrap'><b>".$text['title-sip_profiles']."</b></td>\n";
 	echo "		<form method='get' action=''>\n";
 	echo "			<td width='50%' style='vertical-align: top; text-align: right; white-space: nowrap;'>\n";
-	echo "				<input type='text' class='txt' style='width: 150px' name='search' id='search' value='".escape($search)."'>\n";
+	echo "				<input type='text' class='txt' style='width: 150px' name='search' id='search' value='".$search."'>\n";
 	echo "				<input type='submit' class='btn' name='submit' value='".$text['button-search']."'>\n";
 	echo "			</td>\n";
 	echo "		</form>\n";
@@ -137,19 +141,19 @@
 	if (is_array($sip_profiles)) {
 		foreach($sip_profiles as $row) {
 			if (permission_exists('sip_profile_edit')) {
-				$tr_link = "href='sip_profile_edit.php?id=".escape($row['sip_profile_uuid'])."'";
+				$tr_link = "href='sip_profile_edit.php?id=".$row['sip_profile_uuid']."'";
 			}
 			echo "<tr ".$tr_link.">\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['sip_profile_name'])."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['sip_profile_hostname'])."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['sip_profile_enabled'])."&nbsp;</td>\n";
-			echo "	<td valign='top' class='row_stylebg'>".escape($row['sip_profile_description'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['sip_profile_name']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['sip_profile_hostname']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['sip_profile_enabled']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='row_stylebg'>".$row['sip_profile_description']."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons'>";
 			if (permission_exists('sip_profile_edit')) {
-				echo "<a href='sip_profile_edit.php?id=".escape($row['sip_profile_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+				echo "<a href='sip_profile_edit.php?id=".$row['sip_profile_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 			}
 			if (permission_exists('sip_profile_delete')) {
-				echo "<a href='sip_profile_delete.php?id=".escape($row['sip_profile_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo "<a href='sip_profile_delete.php?id=".$row['sip_profile_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";