lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix sql injection even when code is on several lines

Browse Source
This commit is contained in:
Laurent Destailleur 2016-01-08 14:43:04 +01:00
parent 36dc8b1ce7
commit a26a6c2449
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/main.inc.php
View File

@ -95,8 +95,8 @@ function test_sql_and_script_inject($val, $type)
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/i', $val);
$sql_inj += preg_match('/<.*onmouseover/i', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouseover/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);