From 4710fedda61b25afee74f17e5557f43ae61dcee7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 23:06:08 +0200 Subject: [PATCH] Try another fix for #yogosha4514 --- htdocs/main.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 3879f6c6978..ffa7c47bdff 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -107,8 +107,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' //if ($type == 1) //{ - $inj += preg_match('/javascript%/i', $val); - $inj += preg_match('/javascript:/i', $val); + $inj += preg_match('/javascript\s*:/i', $val); $inj += preg_match('/vbscript:/i', $val); //} // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)