From 45cee744c02b8d012d0f53bf7289a5f448d776d0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 9 Nov 2011 12:22:07 +0100
Subject: [PATCH] Fix: We must not filter HTML content but only javascript
 content. This is to avoid to block fckeditor edition.

---
 htdocs/main.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 269083d8c06..6bb3f3dfb4d 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -83,9 +83,9 @@ function test_sql_and_script_inject($val, $get)
 	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
     $sql_inj += preg_match('/<script/i', $val);
-    $sql_inj += preg_match('/img[\s]+src/i', $val);
     $sql_inj += preg_match('/base[\s]+href/i', $val);
-    $sql_inj += preg_match('/style([\s]+)?=/i', $val);
+    if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
+    if ($get) $sql_inj += preg_match('/style([\s]+)?=/i', $val);
 	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value