From cf4a71d8ae98aae69a23aa1601714bd383a20854 Mon Sep 17 00:00:00 2001
From: "denisb@a-working-class-hero-is-something-to.be" <>
Date: Mon, 11 Jun 2012 15:07:51 +0000
Subject: [PATCH] =?UTF-8?q?=C3=A9cran=20de=20s=C3=A9cu=20:=20filtrages=20m?=
 =?UTF-8?q?odifi=C3=A9s=20et=20ajout=20de=20=20var=5Fajax=5Fancre?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ecran_securite.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ecran_securite.php b/ecran_securite.php
index 7850c67..a230ae8 100644
--- a/ecran_securite.php
+++ b/ecran_securite.php
@@ -5,7 +5,7 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '1.1.0'); // 28 avril  2012
+define('_ECRAN_SECURITE', '1.1.1'); // 11 juin  2012
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
@@ -50,14 +50,14 @@ foreach ($GLOBALS as $var => $val)
  */
 $cjpeg_command='';
 
-/*     - controle la variable lang, var_recherche, aide (XSS)
+/*     - controle de quelques variables (XSS)
  *
  */
-foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r') as $var) {
+foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre') as $var) {
 	if (isset($_GET[$var]))
-		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w-]+,',' ',(string)$_GET[$var]);
+		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_GET[$var]);
 	if (isset($_POST[$var]))
-		$_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w-]+,',' ',(string)$_POST[$var]);
+		$_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_POST[$var]);
 }
 
 /*     - filtre l'acces a spip_acces_doc (injection SQL en 1.8.2x)
-- 
GitLab