Fix: security

Add another restriction
2011-11-03 10:35:52 +01:00 · 2011-11-03 10:35:52 +01:00 · ea94610492
commit ea94610492
parent 9cc3bf0f87
1 changed files with 1 additions and 0 deletions
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -84,6 +84,7 @@ function test_sql_and_script_inject($val, $get)
 	// For XSS Injection done by adding javascript with script
    $sql_inj += preg_match('/<script/i', $val);
    $sql_inj += preg_match('/img[\s]src/i', $val);
+    $sql_inj += preg_match('/base[\s]href/i', $val);
 	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value