From 236c9bf1d24b875bb4f664a89e82f1cc39c8f998 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 28 Sep 2020 20:05:58 +0200
Subject: [PATCH] Fix regression making export feature not working

---
 htdocs/imports/import.php | 4 ++--
 htdocs/main.inc.php       | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php
index 93d3139ca90..9fdc5330103 100644
--- a/htdocs/imports/import.php
+++ b/htdocs/imports/import.php
@@ -77,8 +77,8 @@ $importmodelid = GETPOST('importmodelid');
 $excludefirstline = (GETPOST('excludefirstline') ? GETPOST('excludefirstline') : 1);
 $endatlinenb		= (GETPOST('endatlinenb') ? GETPOST('endatlinenb') : '');
 $updatekeys			= (GETPOST('updatekeys', 'array') ? GETPOST('updatekeys', 'array') : array());
-$separator			= (GETPOST('separator') ? GETPOST('separator') : (!empty($conf->global->IMPORT_CSV_SEPARATOR_TO_USE) ? $conf->global->IMPORT_CSV_SEPARATOR_TO_USE : ','));
-$enclosure			= (GETPOST('enclosure') ? GETPOST('enclosure') : '"');
+$separator			= (GETPOST('separator', 'nohtml') ? GETPOST('separator', 'nohtml') : (!empty($conf->global->IMPORT_CSV_SEPARATOR_TO_USE) ? $conf->global->IMPORT_CSV_SEPARATOR_TO_USE : ','));
+$enclosure			= (GETPOST('enclosure', 'nohtml') ? GETPOST('enclosure', 'nohtml') : '"');
 
 $objimport = new Import($db);
 $objimport->load_arrays($user, ($step == 1 ? '' : $datatoimport));
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 241fe39f1ac..6cdf59a078a 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -118,7 +118,10 @@ function testSqlAndScriptInject($val, $type)
 	$inj += preg_match('/javascript\s*:/i', $val);
 	$inj += preg_match('/vbscript\s*:/i', $val);
 	// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
-	if ($type == 1) $inj += preg_match('/"/i', $val); // We refused " in GET parameters value
+	if ($type == 1) {
+		$val = str_replace('enclosure="', 'enclosure=X', $val);		// We accept enclosure="
+		$inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
+	}
 	if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
 	return $inj;
 }