Fix #yogosha6678

2021-07-21 01:18:48 +02:00 · 2021-07-21 01:18:48 +02:00 · dbed6bc0da
commit dbed6bc0da
parent e4bb5ed008
2 changed files with 2 additions and 2 deletions
--- a/htdocs/install/check.php
+++ b/htdocs/install/check.php
@ -100,7 +100,7 @@ print "<br>\n";
 // Check PHP support for $_GET and $_POST
 if (!isset($_GET["testget"]) && !isset($_POST["testpost"])) {	// We must keep $_GET and $_POST here
 	print '<img src="../theme/eldy/img/warning.png" alt="Warning"> '.$langs->trans("PHPSupportPOSTGETKo");
-	print ' (<a href="'.$_SERVER["PHP_SELF"].'?testget=ok">'.$langs->trans("Recheck").'</a>)';
+	print ' (<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?testget=ok">'.$langs->trans("Recheck").'</a>)';
 	print "<br>\n";
 	$checksok = 0;
 } else {
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -80,7 +80,7 @@ function realCharForNumericEntities($matches)
 * Warning: Such a protection can't be enough. It is not reliable as it will always be possible to bypass this. Good protection can
 * only be guaranted by escaping data during output.
 *
- * @param		string		$val		Value brut found int $_GET, $_POST or PHP_SELF
+ * @param		string		$val		Brut value found into $_GET, $_POST or PHP_SELF
 * @param		string		$type		0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
 * @return		int						>0 if there is an injection, 0 if none
 */