Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-06 09:02:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3.5' into 3.6

Browse Source 
Conflicts:
	htdocs/main.inc.php
This commit is contained in:
Laurent Destailleur
2016-01-25 15:37:04 +01:00
parent 9fd56df03f ed16699de6
commit c1b6630c16
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/main.inc.php
View File

@@ -88,6 +88,7 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
$sql_inj += preg_match('/onerror=/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@@ -96,7 +97,7 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouseover/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);