Update functions.php

resources/functions.php

@@ -284,7 +284,7 @@
 	if (!function_exists('if_superadmin')) {
 		function if_superadmin($superadmin_list, $user_uuid) {
 			if (stripos($superadmin_list, "||".$user_uuid."||") === false) {
-				return false; //user_uuid does not exist
+				return false;
 			}
 			else {
 				return true; //user_uuid exists
@@ -296,12 +296,14 @@
 		function html_select_other($table_name, $field_name, $sql_where_optional, $field_current_value) {
 			//html select other: build a select box from distinct items in db with option for other
 			global $domain_uuid;
+			$table_name = preg_replace("#[^a-zA-Z0-9_]#", "", $table_name);
+			$field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name);
 
 			$html = "<table border='0' cellpadding='1' cellspacing='0'>\n";
 			$html .= "<tr>\n";
-			$html .= "<td id=\"cell".$field_name."1\">\n";
+			$html .= "<td id=\"cell".urlencode($field_name)."1\">\n";
 			$html .= "\n";
-			$html .= "<select id=\"".$field_name."\" name=\"".$field_name."\" class='formfld' onchange=\"if (document.getElementById('".$field_name."').value == 'Other') { /*enabled*/ document.getElementById('".$field_name."_other').style.display=''; document.getElementById('".$field_name."_other').className='formfld'; document.getElementById('".$field_name."_other').focus(); } else { /*disabled*/ document.getElementById('".$field_name."_other').value = ''; document.getElementById('".$field_name."_other').style.display='none'; } \">\n";
+			$html .= "<select id=\"".urlencode($field_name)."\" name=\"".urlencode($field_name)."\" class='formfld' onchange=\"if (document.getElementById('".$field_name."').value == 'Other') { /*enabled*/ document.getElementById('".$field_name."_other').style.display=''; document.getElementById('".$field_name."_other').className='formfld'; document.getElementById('".$field_name."_other').focus(); } else { /*disabled*/ document.getElementById('".$field_name."_other').value = ''; document.getElementById('".$field_name."_other').style.display='none'; } \">\n";
 			$html .= "<option value=''></option>\n";
 
 			$sql = "select distinct(".$field_name.") as ".$field_name." ";
@@ -311,7 +313,7 @@
 			if (is_array($result) && @sizeof($result) != 0) {
 				foreach($result as $field) {
 					if (strlen($field[$field_name]) > 0) {
-						$html .= "<option value=\"".$field[$field_name]."\" ".($field_current_value == $field[$field_name] ? "selected='selected'" : null).">".$field[$field_name]."</option>\n";
+						$html .= "<option value=\"".urlencode($field[$field_name])."\" ".($field_current_value == $field[$field_name] ? "selected='selected'" : null).">".urlencode($field[$field_name])."</option>\n";
 					}
 				}
 			}
@@ -331,18 +333,24 @@
 	}
 
 	if (!function_exists('html_select')) {
-		function html_select($table_name, $field_name, $sql_where_optional, $field_current_value, $field_value = '', $style = '', $onchange = '') {
+		function html_select($table_name, $field_name, $sql_where_optional, $field_current_value, $field_value = '', $style = '', $on_change = '') {
 			//html select: build a select box from distinct items in db
 			global $domain_uuid;
 
+			$table_name = preg_replace("#[^a-zA-Z0-9_]#", "", $table_name);
+			$field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name);
+			$field_value = preg_replace("#[^a-zA-Z0-9_]#", "", $field_value);
+		
 			if (strlen($field_value) > 0) {
-				$html .= "<select id=\"".$field_value."\" name=\"".$field_value."\" class='formfld' style='".$style."' ".($onchange != '' ? "onchange=\"".$onchange."\"" : null).">\n";
+				$html .= "<select id=\"".$field_value."\" name=\"".$field_value."\" class='formfld' style='".$style."' ".($on_change != '' ? "onchange=\"".$on_change."\"" : null).">\n";
 				$html .= "	<option value=\"\"></option>\n";
+
 				$sql = "select distinct(".$field_name.") as ".$field_name.", ".$field_value." from ".$table_name." ".$sql_where_optional." order by ".$field_name." asc ";
 			}
 			else {
-				$html .= "<select id=\"".$field_name."\" name=\"".$field_name."\" class='formfld' style='".$style."' ".($onchange != '' ? "onchange=\"".$onchange."\"" : null).">\n";
+				$html .= "<select id=\"".$field_name."\" name=\"".$field_name."\" class='formfld' style='".$style."' ".($on_change != '' ? "onchange=\"".$on_change."\"" : null).">\n";
 				$html .= "	<option value=\"\"></option>\n";
+
 				$sql = "select distinct(".$field_name.") as ".$field_name." from ".$table_name." ".$sql_where_optional." ";
 			}
 
@@ -353,7 +361,7 @@
 					if (strlen($field[$field_name]) > 0) {
 						$selected = $field_current_value == $field[$field_name] ? "selected='selected'" : null;
 						$array_key = strlen($field_value) > 0 ? $field_value : $field_name;
-						$html .= "<option value=\"".$field[$array_key]."\" ".$selected.">".$field[$field_name]."</option>\n";
+						$html .= "<option value=\"".urlencode($field[$array_key])."\" ".$selected.">".urlencode($field[$field_name])."</option>\n";
 					}
 				}
 			}
@@ -366,20 +374,58 @@
 
 	if (!function_exists('th_order_by')) {
 		//html table header order by
-		function th_order_by($field_name, $columntitle, $order_by, $order, $app_uuid = '', $css = '', $additional_get_params='', $description='') {
-			if (strlen($app_uuid) > 0) { $app_uuid = "&app_uuid=".$app_uuid; }	// accomodate need to pass app_uuid where necessary (inbound/outbound routes lists)
-			if (strlen($additional_get_params) > 0) {$additional_get_params = '&'.$additional_get_params; } // you may need to pass other parameters
-			$html = "<th ".$css." nowrap>";
+		function th_order_by($field_name, $column_title, $order_by, $order, $app_uuid = '', $css = '', $http_get_params = '', $description = '') {
+			if (is_uuid($app_uuid) > 0) { $app_uuid = "&app_uuid=".$app_uuid; }	// accomodate need to pass app_uuid where necessary (inbound/outbound routes lists)
+
+			$field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name);
+			$column_title = preg_replace("#[^a-zA-Z0-9_]#", "", $column_title);
+			$field_value = preg_replace("#[^a-zA-Z0-9_]#", "", $field_value);
+
+			$sanitized_parameters = '';
+			if (isset($http_get_params) && strlen($http_get_params) > 0) {
+				$parameters = explode('&', $http_get_params);
+				if (is_array($parameters)) {
+					foreach ($parameters as $parameter) {
+						$array = explode('=', $parameter);
+						$key = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['0']);
+						$value = urldecode($array['1']);
+						if ($key == 'order_by' && strlen($value) > 0) {
+							//validate order by
+							$sanitized_parameters .= "&order_by=". preg_replace('#[^a-zA-Z0-9_\-]#', '', $value);
+						}
+						else if ($key == 'order' && strlen($value) > 0) {
+							//validate order
+							switch ($value) {
+								case 'asc':
+									$sanitized_parameters .= "&order=asc";
+									break;
+								case 'desc':
+									$sanitized_parameters .= "&order=desc";
+									break;
+							}
+						}
+						else if (strlen($value) > 0 && is_numeric($value)) {
+							$sanitized_parameters .= "&".$key."=".$value;
+						}
+						else {
+							$sanitized_parameters .= "&".$key."=".urlencode($value);
+						}
+					}
+				}
+			}
+
+			$html = "<th ".$css." nowrap='nowrap'>";
 			$description = (strlen($description) > 0) ? $description . ', ': '';
-			if (strlen($order_by) == 0)
+			if (strlen($order_by) == 0) {
 				$order = 'asc';
+			}
 			if ($order == "asc") {
 				$description .= 'sort(ascending)';
-				$html .= "<a href='?order_by=$field_name&order=desc".$app_uuid."$additional_get_params' title='$description'>$columntitle</a>";
+				$html .= "<a href='?order_by=".urlencode($field_name)."&order=desc".urlencode($app_uuid).$sanitized_parameters."' title='".urlencode($description)."'>".urlencode($column_title)."</a>";
 			}
 			else {
 				$description .= 'sort(descending)';
-				$html .= "<a href='?order_by=$field_name&order=asc".$app_uuid."$additional_get_params' title='$description'>$columntitle</a>";
+				$html .= "<a href='?order_by=".urlencode($field_name)."&order=asc".urlencode($app_uuid).$sanitized_parameters."' title='".urlencode($description)."'>".urlencode($column_title)."</a>";
 			}
 			$html .= "</th>";
 			return $html;