Update default_settings.php

core/default_settings/default_settings.php

@@ -17,22 +17,26 @@
 
  The Initial Developer of the Original Code is
  Mark J Crane <[email protected]>
- Portions created by the Initial Developer are Copyright (C) 2008-2016
+ Portions created by the Initial Developer are Copyright (C) 2008-2018
  the Initial Developer. All Rights Reserved.
 
  Contributor(s):
  Mark J Crane <[email protected]>
 */
-require_once "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('default_setting_view')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	require_once "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('default_setting_view')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
 
 //add multi-lingual support
 	$language = new text;
@@ -54,7 +58,7 @@ else {
 			unset($sql);
 
 			messages::add($text['message-update']);
-			header("Location: default_settings.php".(($search != '') ? "?search=".$search : null)."#anchor_".$category);
+			header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null)."#anchor_".escape($category));
 			exit;
 		}
 
@@ -163,14 +167,14 @@ else {
 				} // foreach
 
 				// set message
-				$_SESSION["message"] = $text['message-copy'].": ".$settings_copied;
+				$_SESSION["message"] = $text['message-copy'].": ".escape($settings_copied);
 			}
 			else {
 				// set message
 				messages::add($text['message-copy_failed']);
 			}
 
-			header("Location: default_settings.php".(($search != '') ? "?search=".$search : null));
+			header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null));
 			exit;
 		}
 
@@ -193,7 +197,7 @@ else {
 				messages::add($text['message-delete_failed'], 'negative');
 			}
 
-			header("Location: default_settings.php".(($search != '') ? "?search=".$search : null));
+			header("Location: default_settings.php".(($search != '') ? "?search=".escape($search) : null));
 			exit;
 		}
 	} // post
@@ -272,14 +276,14 @@ else {
 	echo "			".$text['description-default_settings'];
 	echo "		</td>\n";
 	echo "		<td align='right' valign='top' nowrap='nowrap'>";
-	echo "			<input type='text' name='search' id='default_setting_search' class='formfld' style='min-width: 150px; width:150px; max-width: 150px;' placeholder=\"".$text['label-search']."\" value=\"".$search."\" onkeyup='setting_search();'>\n";
+	echo "			<input type='text' name='search' id='default_setting_search' class='formfld' style='min-width: 150px; width:150px; max-width: 150px;' placeholder=\"".$text['label-search']."\" value=\"".escape($search)."\" onkeyup='setting_search();'>\n";
 	if (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) {
 		echo "		<input type='button' class='btn' id='button_copy' alt='".$text['button-copy']."' onclick='show_domains();' value='".$text['button-copy']."'>";
 		echo "		<input type='button' class='btn' style='display: none;' id='button_back' alt='".$text['button-back']."' onclick='hide_domains();' value='".$text['button-back']."'> ";
 		echo "		<select class='formfld' style='display: none; width: auto;' name='target_domain_uuid' id='target_domain_uuid'>\n";
 		echo "			<option value=''>Select Domain...</option>\n";
 		foreach ($_SESSION['domains'] as $domain) {
-			echo "		<option value='".$domain["domain_uuid"]."'>".$domain["domain_name"]."</option>\n";
+			echo "		<option value='".escape($domain["domain_uuid"])."'>".escape($domain["domain_name"])."</option>\n";
 		}
 		echo "		</select>\n";
 		echo "		<input type='button' class='btn' id='button_paste' style='display: none;' alt='".$text['button-paste']."' value='".$text['button-paste']."' onclick=\"$('#frm').attr('action', 'default_settings.php?search='+$('#default_setting_search').val()).submit();\">";
@@ -344,22 +348,22 @@ else {
 					echo "</table>";
 					echo "</div>";
 				}
-				echo "<div id='category_".$row['default_setting_category']."' style='padding-top: 20px;'>";
-				echo "<span id='anchor_".$row['default_setting_category']."'></span>";
+				echo "<div id='category_".escape($row['default_setting_category'])."' style='padding-top: 20px;'>";
+				echo "<span id='anchor_".escape($row['default_setting_category'])."'></span>";
 				echo "<b>";
 				switch (strtolower($row['default_setting_category'])) {
 					case "api" : echo "API"; break;
 					case "cdr" : echo "CDR"; break;
 					case "ldap" : echo "LDAP"; break;
 					case "ivr menu" : echo "IVR Menu"; break;
-					default: echo ucwords(str_replace("_", " ", $row['default_setting_category']));
+					default: echo ucwords(str_replace("_", " ", escape($row['default_setting_category'])));
 				}
 				echo "</b>\n";
 
 				echo "<table class='tr_hover' style='margin-top: 5px;' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
 				echo "<tr>\n";
 				if ( (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) || permission_exists('default_setting_delete') ) {
-					echo "<th style='width: 30px; vertical-align: bottom; text-align: center; padding: 0px 3px 2px 8px;'><input type='checkbox' id='chk_all_".$row['default_setting_category']."' class='chk_all' onchange=\"(this.checked) ? check('all','".strtolower($row['default_setting_category'])."') : check('none','".strtolower($row['default_setting_category'])."');\"></th>";
+					echo "<th style='width: 30px; vertical-align: bottom; text-align: center; padding: 0px 3px 2px 8px;'><input type='checkbox' id='chk_all_".$row['default_setting_category']."' class='chk_all' onchange=\"(this.checked) ? check('all','".strtolower(escape($row['default_setting_category']))."') : check('none','".strtolower(escape($row['default_setting_category']))."');\"></th>";
 				}
 				echo "<th width='23%'>".$text['label-subcategory']."</th>";
 				echo "<th width='7%'>".$text['label-type']."</th>";
@@ -377,21 +381,21 @@ else {
 				echo "</tr>\n";
 			}
 
-			$tr_link = (permission_exists('default_setting_edit')) ? "href=\"javascript:document.location.href='default_setting_edit.php?id=".$row['default_setting_uuid']."&search='+$('#default_setting_search').val();\"" : null;
+			$tr_link = (permission_exists('default_setting_edit')) ? "href=\"javascript:document.location.href='default_setting_edit.php?id=".escape($row['default_setting_uuid'])."&search='+$('#default_setting_search').val();\"" : null;
 			echo "<tr id='setting_".$row['default_setting_uuid']."' ".$tr_link.">\n";
 			if ( (permission_exists("domain_select") && permission_exists("domain_setting_add") && count($_SESSION['domains']) > 1) || permission_exists("default_setting_delete") ) {
-				echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='text-align: center; padding: 3px 3px 0px 8px;'><input type='checkbox' name='id[]' id='checkbox_".$row['default_setting_uuid']."' value='".$row['default_setting_uuid']."' onclick=\"if (!this.checked) { document.getElementById('chk_all_".$row['default_setting_category']."').checked = false; }\"></td>\n";
+				echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='text-align: center; padding: 3px 3px 0px 8px;'><input type='checkbox' name='id[]' id='checkbox_".escape($row['default_setting_uuid'])."' value='".escape($row['default_setting_uuid'])."' onclick=\"if (!this.checked) { document.getElementById('chk_all_".escape($row['default_setting_category'])."').checked = false; }\"></td>\n";
 				$subcat_ids[strtolower($row['default_setting_category'])][] = 'checkbox_'.$row['default_setting_uuid'];
 			}
 			echo "	<td valign='top' class='".$row_style[$c]."'>";
 			if (permission_exists('default_setting_edit')) {
-				echo "<a href=\"javascript:document.location.href='default_setting_edit.php?id=".$row['default_setting_uuid']."&search='+$('#default_setting_search').val(); return false;\">".$row['default_setting_subcategory']."</a>";
+				echo "<a href=\"javascript:document.location.href='default_setting_edit.php?id=".$row['default_setting_uuid']."&search='+$('#default_setting_search').val(); return false;\">".escape($row['default_setting_subcategory'])."</a>";
 			}
 			else {
 				echo $row['default_setting_subcategory'];
 			}
 			echo "	</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['default_setting_name']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['default_setting_name'])."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."' style='width: 30%; max-width: 100px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>\n";
 
 			$category = $row['default_setting_category'];
@@ -432,29 +436,29 @@ else {
 			}
 			else {
 				if ($category == "theme" && substr_count($subcategory, "_color") > 0 && ($name == "text" || $name == 'array')) {
-					echo "		".(img_spacer('15px', '15px', 'background: '.$row['default_setting_value'].'; margin-right: 4px; vertical-align: middle; border: 1px solid '.(color_adjust($row['default_setting_value'], -0.18)).'; padding: -1px;'));
-					echo "<span style=\"font-family: 'Courier New'; line-height: 6pt;\">".htmlspecialchars($row['default_setting_value'])."</span>\n";
+					echo "		".(img_spacer('15px', '15px', 'background: '.escape($row['default_setting_value']).'; margin-right: 4px; vertical-align: middle; border: 1px solid '.(color_adjust($row['default_setting_value'], -0.18)).'; padding: -1px;'));
+					echo "<span style=\"font-family: 'Courier New'; line-height: 6pt;\">".escape($row['default_setting_value'])."</span>\n";
 				}
 				else {
-					echo "		".htmlspecialchars($row['default_setting_value'])."\n";
+					echo "		".escape($row['default_setting_value'])."\n";
 				}
 			}
 			echo "	</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='text-align: center;'>\n";
 			if (permission_exists('default_setting_edit')) {
-				echo "	<a href=\"javascript:document.location.href='?id[]=".$row['default_setting_uuid']."&enabled=".(($row['default_setting_enabled'] == 'true') ? 'false' : 'true')."&category=".$category."&search='+$('#default_setting_search').val();\">".$text['label-'.$row['default_setting_enabled']]."</a>\n";
+				echo "	<a href=\"javascript:document.location.href='?id[]=".escape($row['default_setting_uuid'])."&enabled=".(($row['default_setting_enabled'] == 'true') ? 'false' : 'true')."&category=".escape($category)."&search='+$('#default_setting_search').val();\">".$text['label-'.$row['default_setting_enabled']]."</a>\n";
 			}
 			else {
 				echo "	".$text['label-'.$row['default_setting_enabled']]."\n";
 			}
 			echo "	</td>\n";
-			echo "	<td valign='top' class='row_stylebg' style='width: 40%; max-width: 50px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>".$row['default_setting_description']."&nbsp;</td>\n";
+			echo "	<td valign='top' class='row_stylebg' style='width: 40%; max-width: 50px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>".escape($row['default_setting_description'])."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons' nowrap='nowrap'>";
 			if (permission_exists('default_setting_edit')) {
-				echo "<a href=\"javascript:document.location.href='default_setting_edit.php?id=".$row['default_setting_uuid']."&search='+$('#default_setting_search').val();\" alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+				echo "<a href=\"javascript:document.location.href='default_setting_edit.php?id=".escape($row['default_setting_uuid'])."&search='+$('#default_setting_search').val();\" alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 			}
 			if (permission_exists('default_setting_delete')) {
-				echo "<a href=\"javascript:document.location.href='default_settings.php?id[]=".$row['default_setting_uuid']."&action=delete&search='+$('#default_setting_search').val();\" alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo "<a href=\"javascript:document.location.href='default_settings.php?id[]=".escape($row['default_setting_uuid'])."&action=delete&search='+$('#default_setting_search').val();\" alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";
@@ -490,9 +494,9 @@ else {
 			echo "<script>\n";
 			echo "	function check(what, category) {\n";
 			foreach ($subcat_ids as $default_setting_category => $checkbox_ids) {
-				echo "if (category == '".$default_setting_category."') {\n";
+				echo "if (category == '".escape($default_setting_category)."') {\n";
 				foreach ($checkbox_ids as $index => $checkbox_id) {
-					echo "document.getElementById('".$checkbox_id."').checked = (what == 'all') ? true : false;\n";
+					echo "document.getElementById('".escape($checkbox_id)."').checked = (what == 'all') ? true : false;\n";
 				}
 				echo "}\n";
 			}