From 6e43101a99405af05ac79fb54c9e18c9f026d478 Mon Sep 17 00:00:00 2001
From: David O Neill <dmz.oneill@gmail.com>
Date: Thu, 12 Feb 2026 18:25:03 +0000
Subject: [PATCH] fix: sanitize extdisplay parameter to prevent XSS (fixes
 #176)

Added htmlspecialchars() encoding to all instances of the extdisplay
request parameter in form attributes across devices, users, and
extensions views. The parameter was previously output directly into
HTML attributes without sanitization, allowing potential XSS attacks
via crafted URLs.

This closes a reflected XSS vulnerability that could allow attackers
to execute arbitrary JavaScript in admin sessions.
---
 views/devices.php    | 2 +-
 views/extensions.php | 2 +-
 views/users.php      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/views/devices.php b/views/devices.php
index 61b3fa636..ac8c4e0e2 100644
--- a/views/devices.php
+++ b/views/devices.php
@@ -1,5 +1,5 @@
 <div class="display no-border">
-  <form class="popover-form fpbx-submit" name="frm_devices" action="config.php?display=devices<?php echo isset($_REQUEST['extdisplay']) && trim($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.$_REQUEST['extdisplay'] : '' ?>" method="post" data-fpbx-delete="config.php?display=devices&amp;extdisplay=<?php echo $_REQUEST['extdisplay'] ?>&amp;action=del" role="form">
+  <form class="popover-form fpbx-submit" name="frm_devices" action="config.php?display=devices<?php echo isset($_REQUEST['extdisplay']) && trim($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') : '' ?>" method="post" data-fpbx-delete="config.php?display=devices&amp;extdisplay=<?php echo htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') ?>&amp;action=del" role="form">
     <?php foreach ( $html['top'] as $elem ) {
       echo $elem['html'];
     } ?>
diff --git a/views/extensions.php b/views/extensions.php
index 51ffbdcdc..747e45f3b 100644
--- a/views/extensions.php
+++ b/views/extensions.php
@@ -1,5 +1,5 @@
 <div class="display no-border">
-  <form class="popover-form fpbx-submit" id="frm_extensions" onsubmit="return frm_extensions_onsubmit(this);" name="frm_extensions" action="config.php?display=extensions<?php echo isset($_REQUEST['extdisplay']) && freepbx_trim ($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.$_REQUEST['extdisplay'] : '' ?>" method="post" data-fpbx-delete="config.php?display=extensions&amp;extdisplay=<?php echo $_REQUEST['extdisplay'] ?>&amp;action=del" role="form">
+  <form class="popover-form fpbx-submit" id="frm_extensions" onsubmit="return frm_extensions_onsubmit(this);" name="frm_extensions" action="config.php?display=extensions<?php echo isset($_REQUEST['extdisplay']) && freepbx_trim ($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') : '' ?>" method="post" data-fpbx-delete="config.php?display=extensions&amp;extdisplay=<?php echo htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') ?>&amp;action=del" role="form">
     <?php foreach ( $html['top'] as $elem ) {
       echo $elem['html'];
     } ?>
diff --git a/views/users.php b/views/users.php
index 3543ef775..2b486291f 100644
--- a/views/users.php
+++ b/views/users.php
@@ -1,5 +1,5 @@
 <div class="fpbx-container">
-  <form class="popover-form fpbx-submit" name="frm_users" action="config.php?display=users<?php echo isset($_REQUEST['extdisplay']) && trim($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.$_REQUEST['extdisplay'] : '' ?>" method="post" data-fpbx-delete="config.php?display=users&amp;extdisplay=<?php echo $_REQUEST['extdisplay'] ?>&amp;action=del" role="form">
+  <form class="popover-form fpbx-submit" name="frm_users" action="config.php?display=users<?php echo isset($_REQUEST['extdisplay']) && trim($_REQUEST['extdisplay']) != '' ? '&amp;extdisplay='.htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') : '' ?>" method="post" data-fpbx-delete="config.php?display=users&amp;extdisplay=<?php echo htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') ?>&amp;action=del" role="form">
     <?php foreach ( $html['top'] as $elem ) {
       echo $elem['html'];
     } ?>