From 9d6e3be5d1106360f603dbc31c01a2ac44d30880 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 26 Sep 2020 05:20:33 +0200
Subject: [PATCH] Fix #yogosha4463

---
 htdocs/main.inc.php                  | 6 +++++-
 htdocs/public/payment/newpayment.php | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 33b94e7730c..cc489befd63 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -75,6 +75,7 @@ function testSqlAndScriptInject($val, $type)
 		$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
 		$inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() that return current database login
 		$inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database
+		$inj += preg_match('/<svg/i', $val);	// <svg can be allowed in POST
 	}
 	if ($type == 3)
 	{
@@ -174,7 +175,10 @@ if (!empty($_SERVER["PHP_SELF"]))
 // Sanity check on GET parameters
 if (!defined('NOSCANGETFORINJECTION') && !empty($_SERVER["QUERY_STRING"]))
 {
-	$morevaltochecklikeget = array($_SERVER["QUERY_STRING"]);
+	// Note: QUERY_STRING is url encoded, but $_GET and $_POST are already decoded
+	// Because the analyseVarsForSqlAndScriptsInjection is designed for already url decoded value, we must decode QUERY_STRING
+	// Another solution is to provide $_GET as parameter
+	$morevaltochecklikeget = array(urldecode($_SERVER["QUERY_STRING"]));
 	analyseVarsForSqlAndScriptsInjection($morevaltochecklikeget, 1);
 }
 // Sanity check on POST
diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php
index bf6375b5671..3d197296df7 100644
--- a/htdocs/public/payment/newpayment.php
+++ b/htdocs/public/payment/newpayment.php
@@ -1629,7 +1629,7 @@ if ($source == 'donation')
 
 if (!$found && !$mesg) $mesg = $langs->trans("ErrorBadParameters");
 
-if ($mesg) print '<tr><td align="center" colspan="2"><br><div class="warning">'.$mesg.'</div></td></tr>'."\n";
+if ($mesg) print '<tr><td align="center" colspan="2"><br><div class="warning">'.dol_escape_htmltag($mesg).'</div></td></tr>'."\n";
 
 print '</table>'."\n";
 print "\n";