From 2fc64b8e11af693dc86221f3cd3b4fae3f6897f5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 10 May 2017 00:44:54 +0200
Subject: [PATCH] Fix XSS

---
 htdocs/core/lib/functions.lib.php | 2 +-
 htdocs/index.php                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index e0c9d520eef..e0beb3a8a8e 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -302,7 +302,7 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
 	            break;
 	        case 'aZ09':
 	            $out=trim($out);
-	            if (preg_match('/[^a-z0-9]+/i',$out)) $out='';
+	            if (preg_match('/[^a-z0-9_]+/i',$out)) $out='';
 	            break;
 	        case 'array':
 	            if (! is_array($out) || empty($out)) $out=array();
diff --git a/htdocs/index.php b/htdocs/index.php
index 4b3f48f715f..5430fcf7d24 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -30,7 +30,7 @@ require 'main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 
 // If not defined, we select menu "home"
-$_GET['mainmenu']=GETPOST('mainmenu', 'alpha')?GETPOST('mainmenu', 'alpha'):'home';
+$_GET['mainmenu']=GETPOST('mainmenu', 'aZ09')?GETPOST('mainmenu', 'aZ09'):'home';
 $action=GETPOST('action');
 
 $hookmanager->initHooks(array('index'));
-- 
GitLab