From ca36d10121b52c9c35ba1135d54963b40d5543b4 Mon Sep 17 00:00:00 2001
From: agree <37550360+greenbea@users.noreply.github.com>
Date: Thu, 30 Mar 2023 01:24:04 -0400
Subject: [PATCH] [security] prevent xml injection and executing switch api
 cmds (#6594)

---
 app/call_centers/call_center_agent_edit.php   |   3 +
 app/call_centers/call_center_queue_edit.php   |  20 +-
 .../resources/scripts/directory/directory.lua | 198 +++++++++---------
 .../scripts/resources/functions/xml.lua       |  29 +++
 resources/classes/xml.php                     |  16 ++
 5 files changed, 158 insertions(+), 108 deletions(-)
 create mode 100644 app/scripts/resources/scripts/resources/functions/xml.lua
 create mode 100644 resources/classes/xml.php

diff --git a/app/call_centers/call_center_agent_edit.php b/app/call_centers/call_center_agent_edit.php
index 008355574a..98182429cb 100644
--- a/app/call_centers/call_center_agent_edit.php
+++ b/app/call_centers/call_center_agent_edit.php
@@ -162,6 +162,9 @@
 				$agent_contact = str_replace("@", "/", $agent_contact);
 			}
 
+		//freeswitch expands the the contact string, so we need to sanitize it.
+			$agent_contact = str_replace('$', '', $agent_contact);
+
 		//prepare the array
 			$array['call_center_agents'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
 			$array['call_center_agents'][0]['call_center_agent_uuid'] = $call_center_agent_uuid;
diff --git a/app/call_centers/call_center_queue_edit.php b/app/call_centers/call_center_queue_edit.php
index 5f4be19ee9..eda032d59a 100644
--- a/app/call_centers/call_center_queue_edit.php
+++ b/app/call_centers/call_center_queue_edit.php
@@ -336,42 +336,42 @@
 			}
 
 		//build the xml dialplan
-			$dialplan_xml = "<extension name=\"".$queue_name."\" continue=\"\" uuid=\"".$dialplan_uuid."\">\n";
+			$dialplan_xml = "<extension name=\"".xml::sanitize($queue_name)."\" continue=\"\" uuid=\"".xml::sanitize($dialplan_uuid)."\">\n";
 			$dialplan_xml .= "	<condition field=\"destination_number\" expression=\"^([^#]+#)(.*)\$\" break=\"never\">\n";
 			$dialplan_xml .= "		<action application=\"set\" data=\"caller_id_name=\$2\"/>\n";
 			$dialplan_xml .= "	</condition>\n";
-			$dialplan_xml .= "	<condition field=\"destination_number\" expression=\"^(callcenter\+)?".$queue_extension."$\">\n";
+			$dialplan_xml .= "	<condition field=\"destination_number\" expression=\"^(callcenter\+)?".xml::sanitize($queue_extension)."$\">\n";
 			$dialplan_xml .= "		<action application=\"answer\" data=\"\"/>\n";
 			if (is_uuid($call_center_queue_uuid)) {
-				$dialplan_xml .= "		<action application=\"set\" data=\"call_center_queue_uuid=".$call_center_queue_uuid."\"/>\n";
+				$dialplan_xml .= "		<action application=\"set\" data=\"call_center_queue_uuid=".xml::sanitize($call_center_queue_uuid)."\"/>\n";
 			}
 			if (is_numeric($queue_extension)) {
-				$dialplan_xml .= "		<action application=\"set\" data=\"queue_extension=".$queue_extension."\"/>\n";
+				$dialplan_xml .= "		<action application=\"set\" data=\"queue_extension=".xml::sanitize($queue_extension)."\"/>\n";
 			}
 			$dialplan_xml .= "		<action application=\"set\" data=\"cc_export_vars=\${cc_export_vars},call_center_queue_uuid,sip_h_Alert-Info\"/>\n";
 			$dialplan_xml .= "		<action application=\"set\" data=\"hangup_after_bridge=true\"/>\n";
 			if ($queue_time_base_score_sec != '') {
-				$dialplan_xml .= "		<action application=\"set\" data=\"cc_base_score=".$queue_time_base_score_sec."\"/>\n";
+				$dialplan_xml .= "		<action application=\"set\" data=\"cc_base_score=".xml::sanitize($queue_time_base_score_sec)."\"/>\n";
 			}
 			if ($queue_greeting_path != '') {
 				$dialplan_xml .= "		<action application=\"sleep\" data=\"1000\"/>\n";
 				$greeting_array = explode(':', $queue_greeting_path);
 				if (count($greeting_array) == 1) {
-					$dialplan_xml .= "		<action application=\"playback\" data=\"".$queue_greeting_path."\"/>\n";
+					$dialplan_xml .= "		<action application=\"playback\" data=\"".xml::sanitize($queue_greeting_path)."\"/>\n";
 				}
 				else {
 					if ($greeting_array[0] == 'say' || $greeting_array[0] == 'tone_stream' || $greeting_array[0] == 'phrase') {
-						$dialplan_xml .= "		<action application=\"".$greeting_array[0]."\" data=\"".$greeting_array[1]."\"/>\n";
+						$dialplan_xml .= "		<action application=\"".xml::sanitize($greeting_array[0])."\" data=\"".xml::sanitize($greeting_array[1])."\"/>\n";
 					}
 				}
 			}
 			if (strlen($queue_cid_prefix) > 0) {
-				$dialplan_xml .= "		<action application=\"set\" data=\"effective_caller_id_name=".$queue_cid_prefix."#\${caller_id_name}\"/>\n";
+				$dialplan_xml .= "		<action application=\"set\" data=\"effective_caller_id_name=".xml::sanitize($queue_cid_prefix)."#\${caller_id_name}\"/>\n";
 			}
 			if (strlen($queue_cc_exit_keys) > 0) {
-				$dialplan_xml .= "		<action application=\"set\" data=\"cc_exit_keys=".$queue_cc_exit_keys."\"/>\n";
+				$dialplan_xml .= "		<action application=\"set\" data=\"cc_exit_keys=".xml::sanitize($queue_cc_exit_keys)."\"/>\n";
 			}
-			$dialplan_xml .= "		<action application=\"callcenter\" data=\"".$queue_extension."@".$_SESSION["domain_name"]."\"/>\n";
+			$dialplan_xml .= "		<action application=\"callcenter\" data=\"".xml::sanitize($queue_extension)."@".$_SESSION["domain_name"]."\"/>\n";
 			if ($destination->valid($queue_timeout_app.':'.$queue_timeout_data)) {
 				$dialplan_xml .= "		<action application=\"".$queue_timeout_app."\" data=\"".$queue_timeout_data."\"/>\n";
 			}
diff --git a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
index 94028683bc..224b0de430 100644
--- a/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
+++ b/app/scripts/resources/scripts/app/xml_handler/resources/scripts/directory/directory.lua
@@ -29,7 +29,7 @@
 --	Luis Daniel Lucio Quiroz <dlucio@okay.com.mx>
 
 --set the default
-	continue = true;
+continue = true;
 
 --get the action
 	action = params:getHeader("action");
@@ -52,6 +52,8 @@
 		json = require "resources.functions.lunajson"
 	end
 
+	local Xml = require "resources.functions.xml";
+
 --include cache library
 	local cache = require "resources.functions.cache"
 
@@ -490,207 +492,207 @@
 							end
 
 						--build the xml
-							local xml = {}
-							table.insert(xml, [[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
-							table.insert(xml, [[<document type="freeswitch/xml">]]);
-							table.insert(xml, [[	<section name="directory">]]);
-							table.insert(xml, [[		<domain name="]] .. domain_name .. [[" alias="true">]]);
-							table.insert(xml, [[			<params>]]);
-							table.insert(xml, [[				<param name="jsonrpc-allowed-methods" value="verto"/>]]);
-							table.insert(xml, [[				<param name="jsonrpc-allowed-event-channels" value="demo,conference,presence"/>]]);
-							table.insert(xml, [[			</params>]]);
-							table.insert(xml, [[			<groups>]]);
-							table.insert(xml, [[				<group name="default">]]);
-							table.insert(xml, [[					<users>]]);
+							local xml = Xml:new();
+							xml:append([[<?xml version="1.0" encoding="UTF-8" standalone="no"?>]]);
+							xml:append([[<document type="freeswitch/xml">]]);
+							xml:append([[	<section name="directory">]]);
+							xml:append([[		<domain name="]] ..  xml.sanitize(domain_name) .. [[" alias="true">]]);
+							xml:append([[			<params>]]);
+							xml:append([[				<param name="jsonrpc-allowed-methods" value="verto"/>]]);
+							xml:append([[				<param name="jsonrpc-allowed-event-channels" value="demo,conference,presence"/>]]);
+							xml:append([[			</params>]]);
+							xml:append([[			<groups>]]);
+							xml:append([[				<group name="default">]]);
+							xml:append([[					<users>]]);
 							if (number_alias) then
 								if (cidr) then
-									table.insert(xml, [[						<user id="]] .. extension .. [["]] .. cidr .. number_alias_string .. [[>]]);
+									xml:append([[						<user id="]] ..  xml.sanitize(extension) .. [["]] ..  xml.sanitize(cidr) ..  xml.sanitize(number_alias_string) .. [[ type=>]]);
 								else
-									table.insert(xml, [[						<user id="]] .. extension .. [["]] .. number_alias_string .. [[>]]);
+									xml:append([[						<user id="]] ..  xml.sanitize(extension) .. [["]] ..  xml.sanitize(number_alias_string) .. [[>]]);
 								end
 							else
 								if (cidr) then
-									table.insert(xml, [[						<user id="]] .. extension .. [["]] .. cidr .. [[>]]);
+									xml:append([[						<user id="]] ..  xml.sanitize(extension) .. [["]] .. cidr .. [[>]]);
 								else
-									table.insert(xml, [[						<user id="]] .. extension .. [[">]]);
+									xml:append([[						<user id="]] ..  xml.sanitize(extension) .. [[">]]);
 								end
 							end
-							table.insert(xml, [[							<params>]]);
-							table.insert(xml, [[								<param name="password" value="]] .. password .. [["/>]]);
-							table.insert(xml, [[								<param name="vm-enabled" value="]] .. vm_enabled .. [["/>]]);
+							xml:append([[							<params>]]);
+							xml:append([[								<param name="password" value="]] .. password .. [["/>]]);
+							xml:append([[								<param name="vm-enabled" value="]] ..  xml.sanitize(vm_enabled) .. [["/>]]);
 							if (string.len(vm_mailto) > 0) then
-								table.insert(xml, [[								<param name="vm-password" value="]] .. vm_password  .. [["/>]]);
-								table.insert(xml, [[								<param name="vm-email-all-messages" value="]] .. vm_enabled  ..[["/>]]);
-								table.insert(xml, [[								<param name="vm-attach-file" value="]] .. vm_attach_file .. [["/>]]);
-								table.insert(xml, [[								<param name="vm-keep-local-after-email" value="]] .. vm_keep_local_after_email .. [["/>]]);
-								table.insert(xml, [[								<param name="vm-mailto" value="]] .. vm_mailto .. [["/>]]);
+								xml:append([[								<param name="vm-password" value="]] ..  xml.sanitize(vm_password)  .. [["/>]]);
+								xml:append([[								<param name="vm-email-all-messages" value="]] ..  xml.sanitize(vm_enabled)  ..[["/>]]);
+								xml:append([[								<param name="vm-attach-file" value="]] ..  xml.sanitize(vm_attach_file) .. [["/>]]);
+								xml:append([[								<param name="vm-keep-local-after-email" value="]] ..  xml.sanitize(vm_keep_local_after_email) .. [["/>]]);
+								xml:append([[								<param name="vm-mailto" value="]] ..  xml.sanitize(vm_mailto) .. [["/>]]);
 							end
 							if (string.len(mwi_account) > 0) then
-								table.insert(xml, [[							<param name="MWI-Account" value="]] .. mwi_account .. [["/>]]);
+								xml:append([[							<param name="MWI-Account" value="]] ..  xml.sanitize(mwi_account) .. [["/>]]);
 							end
 							if (string.len(auth_acl) > 0) then
-								table.insert(xml, [[							<param name="auth-acl" value="]] .. auth_acl .. [["/>]]);
+								xml:append([[							<param name="auth-acl" value="]] ..  xml.sanitize(auth_acl) .. [["/>]]);
 							end
-							table.insert(xml, [[								<param name="dial-string" value="]] .. dial_string .. [["/>]]);
-							table.insert(xml, [[								<param name="verto-context" value="]] .. user_context .. [["/>]]);
-							table.insert(xml, [[								<param name="verto-dialplan" value="XML"/>]]);
-							table.insert(xml, [[								<param name="jsonrpc-allowed-methods" value="verto"/>]]);
-							table.insert(xml, [[								<param name="jsonrpc-allowed-event-channels" value="demo,conference,presence"/>]]);
-							table.insert(xml, [[								<param name="max-registrations-per-extension" value="]] .. max_registrations .. [["/>]]);
+							xml:append([[								<param name="dial-string" value="]] .. dial_string .. [["/>]]);
+							xml:append([[								<param name="verto-context" value="]] ..  xml.sanitize(user_context) .. [["/>]]);
+							xml:append([[								<param name="verto-dialplan" value="XML"/>]]);
+							xml:append([[								<param name="jsonrpc-allowed-methods" value="verto"/>]]);
+							xml:append([[								<param name="jsonrpc-allowed-event-channels" value="demo,conference,presence"/>]]);
+							xml:append([[								<param name="max-registrations-per-extension" value="]] ..  xml.sanitize(max_registrations) .. [["/>]]);
 							for key,row in pairs(extension_settings) do
 								if (row.extension_setting_type == 'param') then
-									table.insert(xml, [[								<param name="]]..row.extension_setting_name..[[" value="]]..row.extension_setting_value..[["/>]]);
+									xml:append([[								<param name="]].. xml.sanitize(row.extension_setting_name)..[[" value="]].. xml.sanitize(row.extension_setting_value)..[["/>]]);
 								end
 							end
-							table.insert(xml, [[							</params>]]);
-							table.insert(xml, [[							<variables>]]);
-							table.insert(xml, [[								<variable name="domain_uuid" value="]] .. domain_uuid .. [["/>]]);
-							table.insert(xml, [[								<variable name="domain_name" value="]] .. domain_name .. [["/>]]);
-							table.insert(xml, [[								<variable name="extension_uuid" value="]] .. extension_uuid .. [["/>]]);
+							xml:append([[							</params>]]);
+							xml:append([[							<variables>]]);
+							xml:append([[								<variable name="domain_uuid" value="]] ..  xml.sanitize(domain_uuid) .. [["/>]]);
+							xml:append([[								<variable name="domain_name" value="]] ..  xml.sanitize(domain_name) .. [["/>]]);
+							xml:append([[								<variable name="extension_uuid" value="]] ..  xml.sanitize(extension_uuid) .. [["/>]]);
 							if (user_uuid ~= nil) and (string.len(user_uuid) > 0) then
-								table.insert(xml, [[								<variable name="user_uuid" value="]] .. user_uuid .. [["/>]]);
+								xml:append([[								<variable name="user_uuid" value="]] ..  xml.sanitize(user_uuid) .. [["/>]]);
 							end
 							if (contact_uuid ~= nil) and (string.len(contact_uuid) > 0) then
-								table.insert(xml, [[								<variable name="contact_uuid" value="]] .. contact_uuid .. [["/>]]);
+								xml:append([[								<variable name="contact_uuid" value="]] ..  xml.sanitize(contact_uuid) .. [["/>]]);
 							end
-							table.insert(xml, [[								<variable name="call_timeout" value="]] .. call_timeout .. [["/>]]);
-							table.insert(xml, [[								<variable name="caller_id_name" value="]] .. sip_from_user .. [["/>]]);
-							table.insert(xml, [[								<variable name="caller_id_number" value="]] .. sip_from_number .. [["/>]]);
-							table.insert(xml, [[								<variable name="presence_id" value="]] .. presence_id .. [["/>]]);
+							xml:append([[								<variable name="call_timeout" value="]] ..  xml.sanitize(call_timeout) .. [["/>]]);
+							xml:append([[								<variable name="caller_id_name" value="]] ..  xml.sanitize(sip_from_user) .. [["/>]]);
+							xml:append([[								<variable name="caller_id_number" value="]] ..  xml.sanitize(sip_from_number) .. [["/>]]);
+							xml:append([[								<variable name="presence_id" value="]] ..  xml.sanitize(presence_id) .. [["/>]]);
 							if (call_group ~= nil) and (string.len(call_group) > 0) then
-								table.insert(xml, [[								<variable name="call_group" value="]] .. call_group .. [["/>]]);
+								xml:append([[								<variable name="call_group" value="]] ..  xml.sanitize(call_group) .. [["/>]]);
 							end
 							if (call_screen_enabled ~= nil) and (string.len(call_screen_enabled) > 0) then
-								table.insert(xml, [[								<variable name="call_screen_enabled" value="]] .. call_screen_enabled .. [["/>]]);
+								xml:append([[								<variable name="call_screen_enabled" value="]] ..  xml.sanitize(call_screen_enabled) .. [["/>]]);
 							end
 							if (user_record ~= nil) and (string.len(user_record) > 0) then
-								table.insert(xml, [[								<variable name="user_record" value="]] .. user_record .. [["/>]]);
+								xml:append([[								<variable name="user_record" value="]] .. xml.sanitize(user_record) .. [["/>]]);
 							end
 							if (hold_music ~= nil) and (string.len(hold_music) > 0) then
-								table.insert(xml, [[								<variable name="hold_music" value="]] .. hold_music .. [["/>]]);
+								xml:append([[								<variable name="hold_music" value="]] .. xml.sanitize(hold_music) .. [["/>]]);
 							end
 							if (toll_allow ~= nil) and (string.len(toll_allow) > 0) then
-								table.insert(xml, [[								<variable name="toll_allow" value="]] .. toll_allow .. [["/>]]);
+								xml:append([[								<variable name="toll_allow" value="]] .. xml.sanitize(toll_allow) .. [["/>]]);
 							end
 							if (accountcode ~= nil) and (string.len(accountcode) > 0) then
-								table.insert(xml, [[								<variable name="accountcode" value="]] .. accountcode .. [["/>]]);
+								xml:append([[								<variable name="accountcode" value="]] .. xml.sanitize(accountcode) .. [["/>]]);
 							end
-							table.insert(xml, [[								<variable name="user_context" value="]] .. user_context .. [["/>]]);
+							xml:append([[								<variable name="user_context" value="]] .. xml.sanitize(user_context) .. [["/>]]);
 							if (effective_caller_id_name ~= nil) and (string.len(effective_caller_id_name) > 0) then
-								table.insert(xml, [[								<variable name="effective_caller_id_name" value="]] .. effective_caller_id_name.. [["/>]]);
+								xml:append([[								<variable name="effective_caller_id_name" value="]] .. xml.sanitize(effective_caller_id_name).. [["/>]]);
 							end
 							if (effective_caller_id_number ~= nil) and (string.len(effective_caller_id_number) > 0) then
-								table.insert(xml, [[								<variable name="effective_caller_id_number" value="]] .. effective_caller_id_number.. [["/>]]);
+								xml:append([[								<variable name="effective_caller_id_number" value="]] ..  xml.sanitize(effective_caller_id_number).. [["/>]]);
 							end
 							if (outbound_caller_id_name ~= nil) and (string.len(outbound_caller_id_name) > 0) then
-								table.insert(xml, [[								<variable name="outbound_caller_id_name" value="]] .. outbound_caller_id_name .. [["/>]]);
+								xml:append([[								<variable name="outbound_caller_id_name" value="]] ..  xml.sanitize(outbound_caller_id_name) .. [["/>]]);
 							end
 							if (outbound_caller_id_number ~= nil) and (string.len(outbound_caller_id_number) > 0) then
-								table.insert(xml, [[								<variable name="outbound_caller_id_number" value="]] .. outbound_caller_id_number .. [["/>]]);
+								xml:append([[								<variable name="outbound_caller_id_number" value="]] ..  xml.sanitize(outbound_caller_id_number) .. [["/>]]);
 							end
 							if (emergency_caller_id_name ~= nil) and (string.len(emergency_caller_id_name) > 0) then
-								table.insert(xml, [[								<variable name="emergency_caller_id_name" value="]] .. emergency_caller_id_name .. [["/>]]);
+								xml:append([[								<variable name="emergency_caller_id_name" value="]] ..  xml.sanitize(emergency_caller_id_name) .. [["/>]]);
 							end
 							if (emergency_caller_id_number ~= nil) and (string.len(emergency_caller_id_number) > 0) then
-								table.insert(xml, [[								<variable name="emergency_caller_id_number" value="]] .. emergency_caller_id_number .. [["/>]]);
+								xml:append([[								<variable name="emergency_caller_id_number" value="]] ..  xml.sanitize(emergency_caller_id_number) .. [["/>]]);
 							end
 							if (missed_call_app ~= nil) and (string.len(missed_call_app) > 0) then
-								table.insert(xml, [[								<variable name="missed_call_app" value="]] .. missed_call_app .. [["/>]]);
+								xml:append([[								<variable name="missed_call_app" value="]] ..  xml.sanitize(missed_call_app) .. [["/>]]);
 							end
 							if (missed_call_data ~= nil) and (string.len(missed_call_data) > 0) then
-								table.insert(xml, [[								<variable name="missed_call_data" value="]] .. missed_call_data .. [["/>]]);
+								xml:append([[								<variable name="missed_call_data" value="]] ..  xml.sanitize(missed_call_data) .. [["/>]]);
 							end
 							if (directory_full_name ~= nil) and (string.len(directory_full_name) > 0) then
-								table.insert(xml, [[								<variable name="directory_full_name" value="]] .. directory_full_name .. [["/>]]);
+								xml:append([[								<variable name="directory_full_name" value="]] ..  xml.sanitize(directory_full_name) .. [["/>]]);
 							end
 							if (directory_visible ~= nil) and (string.len(directory_visible) > 0) then
-								table.insert(xml, [[								<variable name="directory-visible" value="]] .. directory_visible .. [["/>]]);
+								xml:append([[								<variable name="directory-visible" value="]] ..  xml.sanitize(directory_visible) .. [["/>]]);
 							end
 							if (directory_exten_visible ~= nil) and (string.len(directory_exten_visible) > 0) then
-								table.insert(xml, [[								<variable name="directory-exten-visible" value="]] .. directory_exten_visible .. [["/>]]);
+								xml:append([[								<variable name="directory-exten-visible" value="]] ..  xml.sanitize(directory_exten_visible) .. [["/>]]);
 							end
 							if (limit_max ~= nil) and (string.len(limit_max) > 0) then
-								table.insert(xml, [[								<variable name="limit_max" value="]] .. limit_max .. [["/>]]);
+								xml:append([[								<variable name="limit_max" value="]] ..  xml.sanitize(limit_max) .. [["/>]]);
 							else
-								table.insert(xml, [[								<variable name="limit_max" value="5"/>]]);
+								xml:append([[								<variable name="limit_max" value="5"/>]]);
 							end
 							if (limit_destination ~= nil) and (string.len(limit_destination) > 0) then
-								table.insert(xml, [[								<variable name="limit_destination" value="]] .. limit_destination .. [["/>]]);
+								xml:append([[								<variable name="limit_destination" value="]] ..  xml.sanitize(limit_destination) .. [["/>]]);
 							end
 							if (sip_force_contact ~= nil) and (string.len(sip_force_contact) > 0) then
-								table.insert(xml, [[								<variable name="sip-force-contact" value="]] .. sip_force_contact .. [["/>]]);
+								xml:append([[								<variable name="sip-force-contact" value="]] ..  xml.sanitize(sip_force_contact) .. [["/>]]);
 							end
 							if (sip_force_expires ~= nil) and (string.len(sip_force_expires) > 0) then
-								table.insert(xml, [[								<variable name="sip-force-expires" value="]] .. sip_force_expires .. [["/>]]);
+								xml:append([[								<variable name="sip-force-expires" value="]] ..  xml.sanitize(sip_force_expires) .. [["/>]]);
 							end
 							if (nibble_account ~= nil) and (string.len(nibble_account) > 0) then
-								table.insert(xml, [[								<variable name="nibble_account" value="]] .. nibble_account .. [["/>]]);
+								xml:append([[								<variable name="nibble_account" value="]] ..  xml.sanitize(nibble_account) .. [["/>]]);
 							end
 							if (absolute_codec_string ~= nil) and (string.len(absolute_codec_string) > 0) then
-								table.insert(xml, [[								<variable name="absolute_codec_string" value="]] .. absolute_codec_string .. [["/>]]);
+								xml:append([[								<variable name="absolute_codec_string" value="]] ..  xml.sanitize(absolute_codec_string) .. [["/>]]);
 							end
 							if (force_ping ~= nil) and (string.len(force_ping) > 0) then
-								table.insert(xml, [[								<variable name="force_ping" value="]] .. force_ping .. [["/>]]);
+								xml:append([[								<variable name="force_ping" value="]] ..  xml.sanitize(force_ping) .. [["/>]]);
 							end
 							if (sip_bypass_media ~= nil) and (sip_bypass_media == "bypass-media") then
-								table.insert(xml, [[								<variable name="bypass_media" value="true"/>]]);
+								xml:append([[								<variable name="bypass_media" value="true"/>]]);
 							end
 							if (sip_bypass_media ~= nil) and (sip_bypass_media == "bypass-media-after-bridge") then
-								table.insert(xml, [[								<variable name="bypass_media_after_bridge" value="true"/>]]);
+								xml:append([[								<variable name="bypass_media_after_bridge" value="true"/>]]);
 							end
 							if (sip_bypass_media ~= nil) and (sip_bypass_media == "proxy-media") then
-								table.insert(xml, [[								<variable name="proxy_media" value="true"/>]]);
+								xml:append([[								<variable name="proxy_media" value="true"/>]]);
 							end
 							if (forward_all_enabled ~= nil) and (string.len(forward_all_enabled) > 0) then
-								table.insert(xml, [[								<variable name="forward_all_enabled" value="]] .. forward_all_enabled .. [["/>]]);
+								xml:append([[								<variable name="forward_all_enabled" value="]] ..  xml.sanitize(forward_all_enabled) .. [["/>]]);
 							end
 							if (forward_all_destination ~= nil) and (string.len(forward_all_destination) > 0) then
-								table.insert(xml, [[								<variable name="forward_all_destination" value="]] .. forward_all_destination .. [["/>]]);
+								xml:append([[								<variable name="forward_all_destination" value="]] ..  xml.sanitize(forward_all_destination) .. [["/>]]);
 							end
 							if (forward_busy_enabled ~= nil) and (string.len(forward_busy_enabled) > 0) then
-								table.insert(xml, [[								<variable name="forward_busy_enabled" value="]] .. forward_busy_enabled .. [["/>]]);
+								xml:append([[								<variable name="forward_busy_enabled" value="]] ..  xml.sanitize(forward_busy_enabled) .. [["/>]]);
 							end
 							if (forward_busy_destination ~= nil) and (string.len(forward_busy_destination) > 0) then
-								table.insert(xml, [[								<variable name="forward_busy_destination" value="]] .. forward_busy_destination .. [["/>]]);
+								xml:append([[								<variable name="forward_busy_destination" value="]] ..  xml.sanitize(forward_busy_destination) .. [["/>]]);
 							end
 							if (forward_no_answer_enabled ~= nil) and (string.len(forward_no_answer_enabled) > 0) then
-								table.insert(xml, [[								<variable name="forward_no_answer_enabled" value="]] .. forward_no_answer_enabled .. [["/>]]);
+								xml:append([[								<variable name="forward_no_answer_enabled" value="]] ..  xml.sanitize(forward_no_answer_enabled) .. [["/>]]);
 							end
 							if (forward_no_answer_destination ~= nil) and (string.len(forward_no_answer_destination) > 0) then
-								table.insert(xml, [[								<variable name="forward_no_answer_destination" value="]] .. forward_no_answer_destination .. [["/>]]);
+								xml:append([[								<variable name="forward_no_answer_destination" value="]] ..  xml.sanitize(forward_no_answer_destination) .. [["/>]]);
 							end
 							if (forward_user_not_registered_enabled ~= nil) and (string.len(forward_user_not_registered_enabled) > 0) then
-								table.insert(xml, [[								<variable name="forward_user_not_registered_enabled" value="]] .. forward_user_not_registered_enabled .. [["/>]]);
+								xml:append([[								<variable name="forward_user_not_registered_enabled" value="]] ..  xml.sanitize(forward_user_not_registered_enabled) .. [["/>]]);
 							end
 							if (forward_user_not_registered_destination ~= nil) and (string.len(forward_user_not_registered_destination) > 0) then
-								table.insert(xml, [[								<variable name="forward_user_not_registered_destination" value="]] .. forward_user_not_registered_destination .. [["/>]]);
+								xml:append([[								<variable name="forward_user_not_registered_destination" value="]] ..  xml.sanitize(forward_user_not_registered_destination) .. [["/>]]);
 							end
 							if (follow_me_enabled ~= nil) and (string.len(follow_me_enabled) > 0) then
-								table.insert(xml, [[								<variable name="follow_me_enabled" value="]] .. follow_me_enabled .. [["/>]]);
+								xml:append([[								<variable name="follow_me_enabled" value="]] ..  xml.sanitize(follow_me_enabled) .. [["/>]]);
 							end
 							--if (follow_me_destinations ~= nil) and (string.len(follow_me_destinations) > 0) then
-							--	table.insert(xml, [[								<variable name="follow_me_destinations" value="]] .. follow_me_destinations .. [["/>]]);
+							--	xml:append([[								<variable name="follow_me_destinations" value="]] .. follow_me_destinations .. [["/>]]);
 							--end
 							if (do_not_disturb ~= nil) and (string.len(do_not_disturb) > 0) then
-								table.insert(xml, [[								<variable name="do_not_disturb" value="]] .. do_not_disturb .. [["/>]]);
+								xml:append([[								<variable name="do_not_disturb" value="]] .. xml.sanitize(do_not_disturb) .. [["/>]]);
 							end
-							table.insert(xml, [[								<variable name="record_stereo" value="true"/>]]);
-							table.insert(xml, [[								<variable name="transfer_fallback_extension" value="operator"/>]]);
-							table.insert(xml, [[								<variable name="export_vars" value="domain_name,domain_uuid"/>]]);
+							xml:append([[								<variable name="record_stereo" value="true"/>]]);
+							xml:append([[								<variable name="transfer_fallback_extension" value="operator"/>]]);
+							xml:append([[								<variable name="export_vars" value="domain_name,domain_uuid"/>]]);
 							for key,row in pairs(extension_settings) do
 								if (row.extension_setting_type == 'variable') then
-									table.insert(xml, [[								<variable name="]]..row.extension_setting_name..[[" value="]]..row.extension_setting_value..[["/>]]);
+									xml:append([[								<variable name="]].. xml.sanitize(row.extension_setting_name)..[[" value="]].. xml.sanitize(row.extension_setting_value)..[["/>]]);
 								end
 							end
-							table.insert(xml, [[							</variables>]]);
-							table.insert(xml, [[						</user>]]);
-							table.insert(xml, [[					</users>]]);
-							table.insert(xml, [[				</group>]]);
-							table.insert(xml, [[			</groups>]]);
-							table.insert(xml, [[		</domain>]]);
-							table.insert(xml, [[	</section>]]);
-							table.insert(xml, [[</document>]]);
-							XML_STRING = table.concat(xml, "\n");
+							xml:append([[							</variables>]]);
+							xml:append([[						</user>]]);
+							xml:append([[					</users>]]);
+							xml:append([[				</group>]]);
+							xml:append([[			</groups>]]);
+							xml:append([[		</domain>]]);
+							xml:append([[	</section>]]);
+							xml:append([[</document>]]);
+							XML_STRING = xml:build();
 
 						--close the database connection
 							dbh:release();
diff --git a/app/scripts/resources/scripts/resources/functions/xml.lua b/app/scripts/resources/scripts/resources/functions/xml.lua
new file mode 100644
index 0000000000..ec315c2e46
--- /dev/null
+++ b/app/scripts/resources/scripts/resources/functions/xml.lua
@@ -0,0 +1,29 @@
+local xml = {}
+
+function xml:new(o)
+    o = o or {}
+    setmetatable(o, self);
+    self.__index = self;
+    self.xml = {};
+    return o;
+end
+
+function xml:append(data)
+    table.insert(self.xml, data);
+end
+
+function xml:build()
+    return table.concat(self.xml, "\n");
+end
+
+function xml.sanitize(s)
+    return (string.gsub(s, "[\"><'$]", {
+        ["<"] = "&lt;",
+        [">"] = "&gt;",
+        ['"'] = "&quot;",
+        ["'"] = "&apos;",
+        ["$"] = ""
+    }))
+end
+
+return xml;
\ No newline at end of file
diff --git a/resources/classes/xml.php b/resources/classes/xml.php
new file mode 100644
index 0000000000..15c992533a
--- /dev/null
+++ b/resources/classes/xml.php
@@ -0,0 +1,16 @@
+<?php
+
+if (!class_exists('xml')) {
+    class xml {
+
+        /**
+         * Escapes xml special characters to html entities and sanitze switch special chars.
+         */
+        static function sanitize($string) {
+            return str_replace('$', '', htmlspecialchars($string, ENT_XML1));
+        }
+
+    }
+}
+
+?>
\ No newline at end of file