From ad7fcd264b15b467c75719add855bbd51934fc32 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 19 Apr 2022 23:39:09 +0200 Subject: [PATCH] FIX Tabulation must be allowed for HTML content --- htdocs/main.inc.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 9d96eb63a27..1d09b9f9887 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -108,10 +108,11 @@ function testSqlAndScriptInject($val, $type) // We check string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char) // We should use dol_string_nounprintableascii but function is not yet loaded/available // Example of valid UTF8 chars: - // utf8=utf8mb3: '\x0A', '\x0D', '\x7E' + // utf8=utf8mb3: '\x09', '\x0A', '\x0D', '\x7E' // utf8=utf8mb3: '\xE0\xA0\x80' // utf8mb4: '\xF0\x9D\x84\x9E' (but this may be refused by the database insert if pagecode is utf8=utf8mb3) - $newval = preg_replace('/[\x00-\x09\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace + $newval = preg_replace('/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace + // Note that $newval may also be completely empty '' when non valid UTF8 are found. if ($newval != $val) { // If $val has changed after removing non valid UTF8 chars, it means we have an evil string.