Merge pull request FreePBX#32 in FREEPBX/superfecta from bugfix/FREEP…

…BX-20557-xss-in-superfecta.class.php to release/13.0 * commit '50f5bed02cf3d6d0b0e4e7d6e76df06bd0559d6d': FREEPBX-20557 XSS in Superfecta.class.php
udo1toni · Dec 3, 2019 · c03d262 · c03d262
2 parents 9c7c54b + 50f5bed
commit c03d262
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/Superfecta.class.php b/Superfecta.class.php
@@ -306,19 +306,22 @@ public function ajaxRequest($req, &$setting) {
 	public function ajaxCustomHandler() {
 		switch($_REQUEST['command']) {
 			case "debug":
-				echo "<span class='header'>"._('Debug is on and set at level:')."</span> ".$_REQUEST['level']."</br>";
-				echo "<span class='header'>"._('The Original Number:')."</span> ".$_REQUEST['tel']."</br>";
-				echo "<span class='header'>"._('The Scheme:')."</span> ".$_REQUEST['scheme']."</br>";
+				$tel 	= htmlEntities($_REQUEST['tel']);
+				$level 	= htmlEntities($_REQUEST['level']);
+				$schem 	= htmlEntities($_REQUEST['scheme']);
+				echo "<span class='header'>"._('Debug is on and set at level:')."</span> ". $level."</br>";
+				echo "<span class='header'>"._('The Original Number:')."</span> ".$tel."</br>";
+				echo "<span class='header'>"._('The Scheme:')."</span> ".$schem."</br>";
 				echo "<span class='header'>"._('Scheme Type:')."</span> SINGLEFECTA</br>";
 				echo "<span class='header'>"._('Debugging Enabled, will not stop after first result')."</span></br>";
 				echo "</br>";
 				$time_start = microtime(true);
-				$callerid = $this->execute($_REQUEST['scheme'],array(
-					'callerid' => $_REQUEST['tel'],
+				$callerid = $this->execute($schem,array(
+					'callerid' => $tel,
 					'did' => '5555555555',
 					'extension' => '5555555555',
 					'calleridname' => 'CID Superfecta!',
-				),$_REQUEST['level'],true);
+				), $level ,true);
 				$time_end = microtime(true);
 				echo "</br>";
 				echo "<span class='header'>"._('Returned Result would be:')."</span>".$callerid."</br>";