lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: We must not filter HTML content but only javascript content. This

Browse Source 
is to avoid to block fckeditor edition.
This commit is contained in:
Laurent Destailleur 2011-11-09 12:22:07 +01:00
parent 72c0a15f56
commit 45cee744c0
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/main.inc.php
View File

@ -83,9 +83,9 @@ function test_sql_and_script_inject($val, $get)
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
// For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
$sql_inj += preg_match('/img[\s]+src/i', $val);
$sql_inj += preg_match('/base[\s]+href/i', $val);
$sql_inj += preg_match('/style([\s]+)?=/i', $val);
if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
if ($get) $sql_inj += preg_match('/style([\s]+)?=/i', $val);
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value