fix(security): escape CDR CallerID data in DataTables to prevent stored XSS

jorikfon · jorikfon · commit a46815dc077d · 2026-04-12T11:45:13.000+07:00
Closes #1024 - Escape src_num, dst_num via SecurityUtils.escapeHtml() in createdRow callback (.html() rendered raw server data — direct XSS vector) - Escape data.ids and data.DT_RowId in template literal attributes - Add strip_tags() on CALLERID(name) and CONNECTEDLINE(name) at CDR write time in ActionHangupChan and ActionDialAnswer (defense-in-depth) - data-cdr-name attributes set via jQuery .attr() remain unescaped since .attr() is DOM-safe and downstream already escapes on read
diff --git a/sites/admin-cabinet/assets/js/pbx/CallDetailRecords/call-detail-records-index.js b/sites/admin-cabinet/assets/js/pbx/CallDetailRecords/call-detail-records-index.js
diff --git a/sites/admin-cabinet/assets/js/src/CallDetailRecords/call-detail-records-index.js b/sites/admin-cabinet/assets/js/src/CallDetailRecords/call-detail-records-index.js
@@ -359,13 +359,13 @@ const callDetailRecords = {
                 } else {
                     $('td', row).eq(0).html('');
                 }
-                $('td', row).eq(1).html(data[0]);
+                $('td', row).eq(1).html(SecurityUtils.escapeHtml(data[0]));
                 $('td', row).eq(2)
-                    .html(data[1])
+                    .html(SecurityUtils.escapeHtml(data[1]))
                     .addClass('need-update')
                     .attr('data-cdr-name', data[6] || '');
                 $('td', row).eq(3)
-                    .html(data[2])
+                    .html(SecurityUtils.escapeHtml(data[2]))
                     .addClass('need-update')
                     .attr('data-cdr-name', data[7] || '');
 
@@ -385,15 +385,15 @@ const callDetailRecords = {
                 // WHY: Log icon links to system-diagnostic page which requires specific permissions
                 const canViewLogs = typeof ACLHelper !== 'undefined' && ACLHelper.isAllowed('viewSystemDiagnostic');
                 if (canViewLogs && data.ids !== '') {
-                    actionsHtml += `<i data-ids="${data.ids}" class="file alternate outline icon" style="cursor: pointer; margin-right: 8px;"></i>`;
+                    actionsHtml += `<i data-ids="${SecurityUtils.escapeHtml(data.ids)}" class="file alternate outline icon" style="cursor: pointer; margin-right: 8px;"></i>`;
                 }
 
                 // Add delete button
                 // WHY: Use two-steps-delete mechanism to prevent accidental deletion
                 // First click changes trash icon to close icon, second click deletes
                 // WHY: Use data.DT_RowId which contains linkedid for grouped records
                 actionsHtml += `<a href="#" class="two-steps-delete delete-record popuped"
-                                   data-record-id="${data.DT_RowId}"
+                                   data-record-id="${SecurityUtils.escapeHtml(data.DT_RowId)}"
                                    data-content="${globalTranslate.cdr_DeleteRecord || 'Delete record'}">
                                    <i class="icon trash red" style="margin: 0;"></i>
                                 </a>`;
diff --git a/src/Core/Workers/Libs/WorkerCallEvents/ActionDialAnswer.php b/src/Core/Workers/Libs/WorkerCallEvents/ActionDialAnswer.php
@@ -307,12 +307,12 @@ private static function fillAnsweredCdr(WorkerCallEvents $worker, array $data, o
                 $am = Util::getAstManager('off');
                 $connectedName = $am->GetVar($srcChan, 'CONNECTEDLINE(name)', null, false);
                 if (is_string($connectedName) && $connectedName !== '' && $connectedName !== $row->dst_num) {
-                    $row->writeAttribute('dst_name', $connectedName);
+                    $row->writeAttribute('dst_name', strip_tags($connectedName));
                 }
                 if (empty($row->src_name)) {
                     $callerName = $am->GetVar($srcChan, 'CALLERID(name)', null, false);
                     if (is_string($callerName) && $callerName !== '' && $callerName !== $row->src_num) {
-                        $row->writeAttribute('src_name', $callerName);
+                        $row->writeAttribute('src_name', strip_tags($callerName));
                     }
                 }
             } catch (\Throwable $e) {
diff --git a/src/Core/Workers/Libs/WorkerCallEvents/ActionHangupChan.php b/src/Core/Workers/Libs/WorkerCallEvents/ActionHangupChan.php
@@ -305,6 +305,8 @@ public static function hangupChanCheckSipTrtansfer(WorkerCallEvents $worker, arr
             $CALLERID_NAME = $am->GetVar($BRIDGEPEER, 'CALLERID(name)', null, false);
             if (!is_string($CALLERID_NAME) || $CALLERID_NAME === $CALLERID) {
                 $CALLERID_NAME = '';
+            } else {
+                $CALLERID_NAME = strip_tags($CALLERID_NAME);
             }
             $n_data['action'] = 'sip_transfer';
             $n_data['src_chan'] = $data_chan['out'] ? $data_chan['chan'] : $BRIDGEPEER;

Original file line number	Diff line number	Diff line change
`@@ -307,12 +307,12 @@ private static function fillAnsweredCdr(WorkerCallEvents $worker, array $data, o`
`307`	`307`	`$am = Util::getAstManager('off');`
`308`	`308`	`$connectedName = $am->GetVar($srcChan, 'CONNECTEDLINE(name)', null, false);`
`309`	`309`	`if (is_string($connectedName) && $connectedName !== '' && $connectedName !== $row->dst_num) {`
`310`		`- $row->writeAttribute('dst_name', $connectedName);`
	`310`	`+ $row->writeAttribute('dst_name', strip_tags($connectedName));`
`311`	`311`	`}`
`312`	`312`	`if (empty($row->src_name)) {`
`313`	`313`	`$callerName = $am->GetVar($srcChan, 'CALLERID(name)', null, false);`
`314`	`314`	`if (is_string($callerName) && $callerName !== '' && $callerName !== $row->src_num) {`
`315`		`- $row->writeAttribute('src_name', $callerName);`
	`315`	`+ $row->writeAttribute('src_name', strip_tags($callerName));`
`316`	`316`	`}`
`317`	`317`	`}`
`318`	`318`	`} catch (\Throwable $e) {`
Original file line number	Diff line number	Diff line change
`@@ -305,6 +305,8 @@ public static function hangupChanCheckSipTrtansfer(WorkerCallEvents $worker, arr`
`305`	`305`	`$CALLERID_NAME = $am->GetVar($BRIDGEPEER, 'CALLERID(name)', null, false);`
`306`	`306`	`if (!is_string($CALLERID_NAME) \|\| $CALLERID_NAME === $CALLERID) {`
`307`	`307`	`$CALLERID_NAME = '';`
	`308`	`+ } else {`
	`309`	`+ $CALLERID_NAME = strip_tags($CALLERID_NAME);`
`308`	`310`	`}`
`309`	`311`	`$n_data['action'] = 'sip_transfer';`
`310`	`312`	`$n_data['src_chan'] = $data_chan['out'] ? $data_chan['chan'] : $BRIDGEPEER;`