From c53034c01fa3675a1db7d5d531bc94b05036edb2 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Wed, 6 Jun 2018 11:26:55 -0600
Subject: [PATCH] Update voicemail_messages.php

---
 app/voicemails/voicemail_messages.php | 35 ++++++++++++++-------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/app/voicemails/voicemail_messages.php b/app/voicemails/voicemail_messages.php
index be65098983..33ab0442d7 100644
--- a/app/voicemails/voicemail_messages.php
+++ b/app/voicemails/voicemail_messages.php
@@ -17,7 +17,7 @@
 
  The Initial Developer of the Original Code is
  Mark J Crane <markjcrane@fusionpbx.com>
- Portions created by the Initial Developer are Copyright (C) 2008-2015
+ Portions created by the Initial Developer are Copyright (C) 2008-2018
  the Initial Developer. All Rights Reserved.
 
  Contributor(s):
@@ -25,8 +25,8 @@
 */
 
 //includes
-require_once "root.php";
-require_once "resources/require.php";
+	require_once "root.php";
+	require_once "resources/require.php";
 
 //check permissions
 	if (!(check_str($_REQUEST["action"]) == "download" && check_str($_REQUEST["src"]) == "email")) {
@@ -94,12 +94,13 @@ require_once "resources/require.php";
 	echo $text['description-voicemail_message'];
 	echo "<br><br>";
 
+//set the row style
 	$c = 0;
 	$row_style["0"] = "row_style0";
 	$row_style["1"] = "row_style1";
 
 //loop through the voicemail messages
-	if (count($voicemails) > 0) {
+	if (is_array($voicemails)) {
 
 		echo "<form name='frm' id='frm' method='post' action=''>\n";
 
@@ -158,19 +159,19 @@ require_once "resources/require.php";
 					$style = ($row['message_status'] == '' && $_REQUEST["uuid"] != $row['voicemail_message_uuid']) ? "font-weight: bold;" : null;
 
 					//playback progress bar
-					echo "<tr id='recording_progress_bar_".$row['voicemail_message_uuid']."' style='display: none;'><td colspan='".((permission_exists('voicemail_message_delete')) ? 7 : 6)."' class='".$row_style[$c]." playback_progress_bar_background' style='padding: 0px; border: none;'><span class='playback_progress_bar' id='recording_progress_".$row['voicemail_message_uuid']."'></span></td></tr>\n";
+					echo "<tr id='recording_progress_bar_".escape($row['voicemail_message_uuid'])."' style='display: none;'><td colspan='".((permission_exists('voicemail_message_delete')) ? 7 : 6)."' class='".$row_style[$c]." playback_progress_bar_background' style='padding: 0px; border: none;'><span class='playback_progress_bar' id='recording_progress_".escape($row['voicemail_message_uuid'])."'></span></td></tr>\n";
 
-					$tr_link = "href=\"javascript:recording_play('".$row['voicemail_message_uuid']."');\"";
+					$tr_link = "href=\"javascript:recording_play('".escape($row['voicemail_message_uuid'])."');\"";
 					echo "<tr ".$tr_link.">\n";
 					if (permission_exists('voicemail_message_delete')) {
 						echo "	<td valign='top' class='".$row_style[$c]." tr_checkbox tr_link_void' style='text-align: center; vertical-align: middle; padding: 0px;'>";
-						echo "		<input type='checkbox' name='voicemail_messages[".$row['voicemail_uuid']."][]' id='checkbox_".$row['voicemail_message_uuid']."' value='".$row['voicemail_message_uuid']."' onclick=\"if (!this.checked) { document.getElementById('chk_all_".$row['voicemail_id']."').checked = false; }\">";
+						echo "		<input type='checkbox' name='voicemail_messages[".escape($row['voicemail_uuid'])."][]' id='checkbox_".$row['voicemail_message_uuid']."' value='".escape($row['voicemail_message_uuid'])."' onclick=\"if (!this.checked) { document.getElementById('chk_all_".escape($row['voicemail_id'])."').checked = false; }\">";
 						echo "	</td>";
 						$vm_msg_ids[$row['voicemail_id']][] = 'checkbox_'.$row['voicemail_message_uuid'];
 					}
-					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\" nowrap='nowrap'>".$row['created_date']."</td>\n";
-					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".$row['caller_id_name']."&nbsp;</td>\n";
-					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".$row['caller_id_number']."&nbsp;</td>\n";
+					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\" nowrap='nowrap'>".escape($row['created_date'])."</td>\n";
+					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".escape($row['caller_id_name'])."&nbsp;</td>\n";
+					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".escape($row['caller_id_number'])."&nbsp;</td>\n";
 					echo "	<td valign='top' class='".$row_style[$c]." row_style_slim tr_link_void' onclick=\"$(this).closest('tr').children('td').css('font-weight','normal');\">";
 						$recording_file_path = $file;
 						$recording_file_name = strtolower(pathinfo($recording_file_path, PATHINFO_BASENAME));
@@ -180,21 +181,21 @@ require_once "resources/require.php";
 							case "mp3" : $recording_type = "audio/mpeg"; break;
 							case "ogg" : $recording_type = "audio/ogg"; break;
 						}
-						echo "<audio id='recording_audio_".$row['voicemail_message_uuid']."' style='display: none;' ontimeupdate=\"update_progress('".$row['voicemail_message_uuid']."')\" preload='none' onended=\"recording_reset('".$row['voicemail_message_uuid']."');\" src=\"voicemail_messages.php?action=download&id=".$row['voicemail_id']."&voicemail_uuid=".$row['voicemail_uuid']."&uuid=".$row['voicemail_message_uuid']."\" type='".$recording_type."'></audio>";
-						echo "<a id='recording_button_".$row['voicemail_message_uuid']."' onclick=\"recording_play('".$row['voicemail_message_uuid']."');\" title='".$text['label-play']." / ".$text['label-pause']."'>".$v_link_label_play."</a>";
-						echo "<a href=\"voicemail_messages.php?action=download&t=bin&id=".$row['voicemail_id']."&voicemail_uuid=".$row['voicemail_uuid']."&uuid=".$row['voicemail_message_uuid']."\" title='".$text['label-download']."'>".$v_link_label_download."</a>";
+						echo "<audio id='recording_audio_".escape($row['voicemail_message_uuid'])."' style='display: none;' ontimeupdate=\"update_progress('".escape($row['voicemail_message_uuid'])."')\" preload='none' onended=\"recording_reset('".escape($row['voicemail_message_uuid'])."');\" src=\"voicemail_messages.php?action=download&id=".escape($row['voicemail_id'])."&voicemail_uuid=".escape($row['voicemail_uuid'])."&uuid=".escape($row['voicemail_message_uuid'])."\" type='".$recording_type."'></audio>";
+						echo "<a id='recording_button_".escape($row['voicemail_message_uuid'])."' onclick=\"recording_play('".escape($row['voicemail_message_uuid'])."');\" title='".$text['label-play']." / ".$text['label-pause']."'>".$v_link_label_play."</a>";
+						echo "<a href=\"voicemail_messages.php?action=download&t=bin&id=".escape($row['voicemail_id'])."&voicemail_uuid=".escape($row['voicemail_uuid'])."&uuid=".escape($row['voicemail_message_uuid'])."\" title='".$text['label-download']."'>".$v_link_label_download."</a>";
 					echo "	</td>\n";
-					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style." text-align: right;\" nowrap='nowrap'>".$row['message_length_label']."&nbsp;</td>\n";
+					echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style." text-align: right;\" nowrap='nowrap'>".escape($row['message_length_label'])."&nbsp;</td>\n";
 					if ($_SESSION['voicemail']['storage_type']['text'] != 'base64') {
-						echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style." text-align: right;\" nowrap='nowrap'>".$row['file_size_label']."</td>\n";
+						echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style." text-align: right;\" nowrap='nowrap'>".escape($row['file_size_label'])."</td>\n";
 					}
 					if ($_SESSION['voicemail']['transcribe_enabled']['boolean'] == 'true') {
-						echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".$row['message_transcription']."</td>\n";
+						echo "	<td valign='top' class='".$row_style[$c]."' style=\"".$style."\">".escape($row['message_transcription'])."</td>\n";
 					}
 
 					if (permission_exists('voicemail_message_delete')) {
 						echo "	<td class='list_control_icon' style='width: 25px;'>";
-						echo 		"<a href='voicemail_message_delete.php?voicemail_messages[".$row['voicemail_uuid']."][]=".$row['voicemail_message_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
+						echo 		"<a href='voicemail_message_delete.php?voicemail_messages[".escape($row['voicemail_uuid'])."][]=".escape($row['voicemail_message_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
 						echo "	</td>\n";
 					}
 					echo "</tr>\n";