From cddec2f4dcba356b1d6fa6e38e7aadc9617ee9bc Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 18 Sep 2020 13:25:56 +0200
Subject: [PATCH] Fix XSS

---
 htdocs/adherents/card.php | 6 +++---
 htdocs/main.inc.php       | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php
index d7a05a1805e..a13367326fa 100644
--- a/htdocs/adherents/card.php
+++ b/htdocs/adherents/card.php
@@ -1454,7 +1454,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) {
 
 		// Login
 		if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) {
-			print '<tr><td class="titlefield">'.$langs->trans("Login").' / '.$langs->trans("Id").'</td><td class="valeur">'.$object->login.'&nbsp;</td></tr>';
+			print '<tr><td class="titlefield">'.$langs->trans("Login").' / '.$langs->trans("Id").'</td><td class="valeur">'.dol_escape_htmltag($object->login).'</td></tr>';
 		}
 
 		// Type
@@ -1471,10 +1471,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) {
 		print '</td></tr>';
 
 		// Company
-		print '<tr><td>'.$langs->trans("Company").'</td><td class="valeur">'.$object->company.'</td></tr>';
+		print '<tr><td>'.$langs->trans("Company").'</td><td class="valeur">'.dol_escape_htmltag($object->company).'</td></tr>';
 
 		// Civility
-		print '<tr><td>'.$langs->trans("UserTitle").'</td><td class="valeur">'.$object->getCivilityLabel().'&nbsp;</td>';
+		print '<tr><td>'.$langs->trans("UserTitle").'</td><td class="valeur">'.$object->getCivilityLabel().'</td>';
 		print '</tr>';
 
 		// Password
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 995327bdee2..0c73df30c75 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -87,9 +87,10 @@ function testSqlAndScriptInject($val, $type)
 	// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
 	// All examples on page: http://ha.ckers.org/xss.html#XSScalc
 	// More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
-	$inj += preg_match('/<script/i', $val);
-	$inj += preg_match('/<iframe/i', $val);
 	$inj += preg_match('/<audio/i', $val);
+	$inj += preg_match('/<iframe/i', $val);
+	$inj += preg_match('/<object/i', $val);
+	$inj += preg_match('/<script/i', $val);
 	$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
 	if (!defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
 	$inj += preg_match('/base[\s]+href/si', $val);