fix(security): Escape script and input tags by default (#7811)

* fix(security): Escape script and input tags by default * enh(BE): avoid to call twice preg_replace method
centreon · Oct 4, 2019 · 6f7c576 · 6f7c576
1 parent 172c0a8
commit 6f7c576
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/www/class/centreonUtils.class.php b/www/class/centreonUtils.class.php
@@ -333,7 +333,8 @@ public static function escapeSecure(
     ) {
         switch ($escapeMethod) {
             case self::ESCAPE_LEGACY_METHOD:
-                return preg_replace("/<script.*?\/script>/s", "", $stringToEscape);
+                // Remove script and input tags by default
+                return preg_replace(array("/<script.*?\/script>/si", "/<input[^>]+\>/si"), "", $stringToEscape);
             case self::ESCAPE_ALL_EXCEPT_LINK:
                 return self::escapeAllExceptLink($stringToEscape);
             case self::ESCAPE_ALL: