Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 17:48:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix XSS injection into textarea

Browse Source
This commit is contained in:
Laurent Destailleur
2019-09-18 14:44:31 +02:00
parent e52788eb75
commit 00d5cff00d
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/main.inc.php
View File

@@ -116,6 +116,8 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/union.+select/i', $val); $inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val); $inj += preg_match('/(\.\.%2f)+/i', $val);
} }
// For XSS Injection done by closing textarea to exucute content into a textarea field
$inj += preg_match('/<\/textarea/i', $val);
// For XSS Injection done by adding javascript with script // For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript: // This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers // When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers