Enhance antiXSS by excluding non printable chars used to obfuscate hack

htdocs/main.inc.php

@@ -57,11 +57,13 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
  */
 function testSqlAndScriptInject($val, $type)
 {
-	$val = html_entity_decode($val, ENT_QUOTES);		// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
-	$val = str_replace('%09', '', $val);				// 'java%09script' is processed like 'javascript' (whatever is place of %09)
-
+	$val = html_entity_decode($val, ENT_QUOTES);	// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
 	// TODO loop to decode until no more thing to decode ?
 
+	// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
+	$val = preg_replace('/[\x00-\x1F\x7F]/u', '', $val);	// We should use dol_string_nounprintableascii but function is not yet loaded/available
+	//var_dump($val);
+
 	$inj = 0;
 	// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
 	if ($type == 1 || $type == 3)