lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try another fix for #yogosha4514

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-18 23:06:08 +02:00
parent 11bf662c38
commit 4710fedda6
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/main.inc.php
View File

@ -107,8 +107,7 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/:|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
//if ($type == 1)
//{
$inj += preg_match('/javascript%/i', $val);
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/javascript\s*:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
//}
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)