From ea94610492ef94dbfc0b74f9762fa8d05c0d269a Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Thu, 3 Nov 2011 10:35:52 +0100
Subject: [PATCH] Fix: security Add another restriction

---
 htdocs/main.inc.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index c257ecad47e..27bed102c63 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -84,6 +84,7 @@ function test_sql_and_script_inject($val, $get)
 	// For XSS Injection done by adding javascript with script
     $sql_inj += preg_match('/<script/i', $val);
     $sql_inj += preg_match('/img[\s]src/i', $val);
+    $sql_inj += preg_match('/base[\s]href/i', $val);
 	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value