From 6f01869bcb2291697243aeacd839dc2d07b4db3a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 24 Mar 2021 23:14:22 +0100
Subject: [PATCH] Enhance the WAF

---
 htdocs/core/lib/functions.lib.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index d567489c2f1..50ff91a6508 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -752,7 +752,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 				$out = trim($out);
 				do {
 					$oldstringtoclean = $out;
-					$out = str_ireplace(array('&quot;', '"', '../'), '', $out);
+					// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
+					$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
 				} while ($oldstringtoclean != $out);
 				// keep lines feed
 			}
@@ -765,7 +766,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 				$out = trim($out);
 				do {
 					$oldstringtoclean = $out;
-					$out = str_ireplace(array('&quot;', '"', '../'), '', $out);
+					// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
+					$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
 				} while ($oldstringtoclean != $out);
 			}
 			break;