From 2caf1788823f2784c045de372ce9683dba47397a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 9 Nov 2011 14:10:49 +0100
Subject: [PATCH] Enhance protection

---
 htdocs/.gitignore   | 1 +
 htdocs/main.inc.php | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 htdocs/.gitignore

diff --git a/htdocs/.gitignore b/htdocs/.gitignore
new file mode 100644
index 00000000000..de589999216
--- /dev/null
+++ b/htdocs/.gitignore
@@ -0,0 +1 @@
+/test.php
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index b63c5a02856..5a214c0466c 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -85,13 +85,16 @@ function test_sql_and_script_inject($val, $type)
     	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	}
 	// For XSS Injection done by adding javascript with script
+	// This is all cases a browser consider text is javascript:
+	// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
+	// All examples on page: http://ha.ckers.org/xss.html#XSScalc
     $sql_inj += preg_match('/<script/i', $val);
+    $sql_inj += preg_match('/<style/i', $val);
     $sql_inj += preg_match('/base[\s]+href/i', $val);
     if ($type == 1)
     {
-        $sql_inj += preg_match('/img[\s]+src/i', $val);
-        $sql_inj += preg_match('/style[\s]*=/i', $val);
 	    $sql_inj += preg_match('/javascript:/i', $val);
+	    $sql_inj += preg_match('/vbscript:/i', $val);
     }
 	// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($type == 1) $sql_inj += preg_match('/"/i', $val);      // We refused " in GET parameters value