diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 3879f6c6978..ffa7c47bdff 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -107,8 +107,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' //if ($type == 1) //{ - $inj += preg_match('/javascript%/i', $val); - $inj += preg_match('/javascript:/i', $val); + $inj += preg_match('/javascript\s*:/i', $val); $inj += preg_match('/vbscript:/i', $val); //} // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)