Update contact_addresses.php

contact_addresses.php

@@ -17,22 +17,26 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2018
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
 	Mark J Crane <[email protected]>
 */
-require_once "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('contact_address_view')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	require_once "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('contact_address_view')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
 
 //show the content
 	echo "<table width='100%' border='0'>\n";
@@ -75,25 +79,25 @@ else {
 
 	if ($result_count > 0) {
 		foreach($result as $row) {
-			$map_query = $row['address_street']." ".$row['address_extended'].", ".$row['address_locality'].", ".$row['address_region'].", ".$row['address_region'].", ".$row['address_postal_code'];
+			$map_query = escape($row['address_street'])." ".escape($row['address_extended']).", ".escape($row['address_locality']).", ".escape($row['address_region']).", ".escape($row['address_region']).", ".escape($row['address_postal_code']);
 			if (permission_exists('contact_address_edit')) {
-				$tr_link = "href='contact_address_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_address_uuid']."'";
+				$tr_link = "href='contact_address_edit.php?contact_uuid=".escape($row['contact_uuid'])."&id=".escape($row['contact_address_uuid'])."'";
 			}
-			echo "<tr ".$tr_link." ".(($row['address_primary']) ? "style='font-weight: bold;'" : null).">\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['address_label']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."' style='width: 25%; max-width: 50px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>".$row['address_street']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."' style='white-space: nowrap;'>".$row['address_locality'].(($row['address_locality'] != '' && $row['address_region'] != '') ? ", " : null).$row['address_region']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."' style='text-align: center;'>".$row['address_country']."&nbsp;</td>\n";
+			echo "<tr ".$tr_link." ".((escape($row['address_primary'])) ? "style='font-weight: bold;'" : null).">\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['address_label'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."' style='width: 25%; max-width: 50px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>".escape($row['address_street'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."' style='white-space: nowrap;'>".escape($row['address_locality']).(($row['address_locality'] != '' && $row['address_region'] != '') ? ", " : null).escape($row['address_region'])."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."' style='text-align: center;'>".escape($row['address_country'])."&nbsp;</td>\n";
 			echo "	<td valign='middle' class='".$row_style[$c]." tr_link_void' style='padding: 0px;'>\n";
 			echo "		<a href=\"http://maps.google.com/maps?q=".urlencode($map_query)."&hl=en\" target=\"_blank\"><img src='resources/images/icon_gmaps.png' style='width: 21px; height: 21px; alt='".$text['label-google_map']."' title='".$text['label-google_map']."'></a>\n";
 			echo "	</td>\n";
-			echo "	<td valign='top' class='row_stylebg'>".$row['address_description']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='row_stylebg'>".escape($row['address_description'])."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons'>";
 			if (permission_exists('contact_address_edit')) {
-				echo "<a href='contact_address_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_address_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+				echo "<a href='contact_address_edit.php?contact_uuid=".escape($row['contact_uuid'])."&id=".escape($row['contact_address_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 			}
 			if (permission_exists('contact_address_delete')) {
-				echo "<a href='contact_address_delete.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_address_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo "<a href='contact_address_delete.php?contact_uuid=".escape($row['contact_uuid'])."&id=".escape($row['contact_address_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";
@@ -104,4 +108,4 @@ else {
 
 	echo "</table>";
 
-?>
+?>