From 95c3da9f13b79ef04b2c481b96c64b0cf002c192 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Fri, 23 Aug 2019 21:38:17 -0600
Subject: [PATCH] Update user_edit.php

---
 core/users/user_edit.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/users/user_edit.php b/core/users/user_edit.php
index 77a7b85681..11c2e30f8e 100644
--- a/core/users/user_edit.php
+++ b/core/users/user_edit.php
@@ -45,7 +45,7 @@
 	}
 	else {
 		// load users own account
-		header("Location: user_edit.php?id=".$_SESSION['user_uuid']);
+		header("Location: user_edit.php?id=".urlencode($_SESSION['user_uuid']));
 		exit;
 	}
 
@@ -206,7 +206,7 @@
 		//return if error
 			if (message::count() != 0) {
 				$_SESSION['tmp'][$_SERVER['PHP_SELF']]['user'] = $_POST;
-				header("Location: user_edit.php".(permission_exists('user_edit') && $action != 'add' ? "?id=".$user_uuid : null));
+				header("Location: user_edit.php".(permission_exists('user_edit') && $action != 'add' ? "?id=".urlencode($user_uuid) : null));
 				exit;
 			}
 
@@ -666,7 +666,7 @@
 		echo "	<input type='button' class='btn' style='margin-right: 10px;' onclick=\"window.location='users.php'\" value='".$text['button-back']."'>";
 	}
 	if (permission_exists('ticket_add') || permission_exists('ticket_edit')) {
-		echo "	<input type='button' class='btn' style='margin-right: 3px;' onclick=\"window.location='/app/tickets/tickets.php?user_uuid=".escape($user_uuid)."'\" value='".$text['button-tickets']."'>";
+		echo "	<input type='button' class='btn' style='margin-right: 3px;' onclick=\"window.location='/app/tickets/tickets.php?user_uuid=".urlencode($user_uuid)."'\" value='".$text['button-tickets']."'>";
 	}
 	echo "	<input type='submit' class='btn' value='".$text['button-save']."'>";
 	echo "</div>\n";
@@ -875,7 +875,7 @@
 		echo "<br />\n";
 		echo $text['description-contact']."\n";
 		if (strlen($contact_uuid) > 0) {
-			echo "			<a href=\"".PROJECT_PATH."/app/contacts/contact_edit.php?id=".escape($contact_uuid)."\">".$text['description-contact_view']."</a>\n";
+			echo "			<a href=\"".PROJECT_PATH."/app/contacts/contact_edit.php?id=".urlencode($contact_uuid)."\">".$text['description-contact_view']."</a>\n";
 		}
 		echo "		</td>";
 		echo "	</tr>";
@@ -930,7 +930,7 @@
 					echo "	</td>\n";
 					if (permission_exists('group_member_delete') || if_group("superadmin")) {
 						echo "	<td class='list_control_icons' style='width: 25px;'>\n";
-						echo "		<a href='user_edit.php?id=".escape($user_uuid)."&domain_uuid=".escape($domain_uuid)."&group_uuid=".escape($field['group_uuid'])."&a=delete' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>\n";
+						echo "		<a href='user_edit.php?id=".urlencode($user_uuid)."&domain_uuid=".urlencode($domain_uuid)."&group_uuid=".urlencode($field['group_uuid'])."&a=delete' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>\n";
 						echo "	</td>\n";
 					}
 					echo "</tr>\n";