Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix #yogosha4539

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-19 18:01:06 +02:00
parent c6e66d1651
commit 673e1fe5aa
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/main.inc.php
View File

@ -57,7 +57,9 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
*/
function testSqlAndScriptInject($val, $type)
{
$val=html_entity_decode($val, ENT_QUOTES); // So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
$val = html_entity_decode($val, ENT_QUOTES); // So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
$val = str_replace('%09', '', $val); // 'java%09script' is processed like 'javascript' (whatever is place of %09)
// TODO loop to decode until no more thing to decode ?
$inj = 0;