Typo fix

htdocs/admin/index.php

@@ -55,10 +55,11 @@ print $langs->trans("SetupDescription1").' ';
 print $langs->trans("AreaForAdminOnly").'<br>';
 
 
+print "<br>";
 print "<br>";
 print $langs->trans("SetupDescription2")."<br>";
 
-print "<br><br>";
+print "<br>";
 //print '<hr style="color: #DDDDDD;">';
 print img_picto('','puce').' '.$langs->trans("SetupDescription3")."<br>";
 print '<br>';

htdocs/cron/functions_cron.lib.php

@@ -20,7 +20,7 @@
 /**
  *      \file       	cron/functions_cron.lib.php
  *      \ingroup    	core
- *      \brief      	Functions for miscellanous cron tasks
+ *      \brief      	Functions for miscellaneous cron tasks
  *		\version		$Id$
  */
 

htdocs/langs/en_US/admin.lang

@@ -660,7 +660,7 @@ ListEvents=Audit events
 ListOfSecurityEvents=List of Dolibarr security events
 LogEventDesc=You can enable here the logging for Dolibarr security events. Administrators can then see its content via menu <b>System tools - Audit</b>. Warning, this feature can consume a large amount of data in database.
 AreaForAdminOnly=Those features can be used by <b>administrator users</b> only.
-SystemInfoDesc=System information is miscellanous technical information you get in read only mode and visible for administrators only.
+SystemInfoDesc=System information is miscellaneous technical information you get in read only mode and visible for administrators only.
 SystemAreaForAdminOnly=This area is available for administrator users only. None of the Dolibarr permissions can reduce this limit.
 CompanyFundationDesc=Edit on this page all known information of the company or foundation you need to manage
 DisplayDesc=You can choose each parameter related to the Dolibarr look and feel here

htdocs/main.inc.php

@@ -62,8 +62,9 @@ if (function_exists('get_magic_quotes_gpc'))	// magic_quotes_* removed in PHP6
 	@set_magic_quotes_runtime(0);
 }
 
-// Security: SQL Injection protection (Filters on GET, POST, REQUEST, COOKIE)
-function test_sql_inject($val)
+
+// Security: SQL and Script Injection protection (Filters on GET, POST)
+function test_sql_and_script_inject($val)
 {
 	$sql_inj = 0;
 	$sql_inj += eregi('delete[[:space:]]+from', $val);
@@ -71,29 +72,31 @@ function test_sql_inject($val)
 	$sql_inj += eregi('update.+set.+=', $val);
 	$sql_inj += eregi('insert[[:space:]]+into', $val);
 	$sql_inj += eregi('select.+from', $val);
+	$sql_inj += eregi('<script', $val);
 	return $sql_inj;
 }
-// Added by Matelli (See http://matelli.fr/showcases/patchs-dolibarr/patch-dolibarr-fix-sql-injection-check-in-array.html)
-function analyse_sql_injection(&$var)
+function analyse_sql_and_script(&$var)
 {
 	if (is_array($var))
 	{
 		$result = array();
 		foreach ($var as $key => $value)
 		{
-			if (test_sql_inject($key) > 0)
+			if (test_sql_and_script_inject($key) > 0)
 			{
-				unset($var[$key]);
+				print 'Access refused by SQL/Script injection protection in main.inc.php';
+				exit;
 			}
 			else
 			{
-				if (analyse_sql_injection($value))
+				if (analyse_sql_and_script($value))
 				{
 					$var[$key] = $value;
 				}
 				else
 				{
-					unset($var[$key]);
+					print 'Access refused by SQL/Script injection protection in main.inc.php';
+					exit;
 				}
 			}
 		}
@@ -101,11 +104,11 @@ function analyse_sql_injection(&$var)
 	}
 	else
 	{
-		return (test_sql_inject($var) <= 0);
+		return (test_sql_and_script_inject($var) <= 0);
 	}
 }
-analyse_sql_injection($_GET);
-analyse_sql_injection($_POST);
+analyse_sql_and_script($_GET);
+analyse_sql_and_script($_POST);
 
 // Security: CSRF protection
 // The test to do is to check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']).