Dear friends,
I recently upgraded to the 3.2.0 version of Dollibarr,
the Problem is that every time that i use the Dolibarr editor Templates, and i try to save the emailing, i get the following messege:
“Access refused by SQL/Script injection protection in main.inc.php”
please help.
Dan Reznik.
Can you cut the content of editor you try to save and paste it into a file and send file to me eldy@destailleur.fr ?
I am also getting the same error in version 14.0.0 while creating a new event and proving HTML codes with inline CSS in the description.
See in main.inc.php inside function testSqlAndScriptInject() there are serveral injection tests, you can disable them by commenting them out (at your own risk), or for greater flexibility (but same risk of course) use the Setup → Other Setup page in dolibarr.
How To for disabling the <style tag check for example:
Alter main.inc.php inside function testSqlAndScriptInject to something like:
if (!defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
Then use dolibarr main menu dialog Setup → Other Setup add a new constant with Name "NOSTYLECHECK" and set Value: 1, click save, this prevents further checks for <style tags in user inputs.
Note: Dot not use the string “<style” inside the Comment textfield in Setup Other though, as this causes still an SQL or Script inejction error when you try to save the Setup Other page, at least for me in V13, and this can cause some confuion.
Excellent information given by you. You really gave a great explanation. This way we can customize the SQL or Script injection attack deeper way. In my case the problem was, in my HTML code I was suing onclick, HTML attribute. Dolibarr was not letting me to do that. So I just remove the onclick from my HTML. An it worked.
Hello,
I am having the same problem that ALSOFT indicates, only this time in the Accounting Module (when you try to modify/edit an accounting account).
I know that this is extra HTML code that is getting into the URL of the pencil button (modify/edit), because once removed, it allows me to access the window without problems.
This is the error message I’m getting:
Access refused by SQL or Script injection protection in main.inc.php - GETPOST type=1 paramkey=0 paramvalue=action=update&token=d0469427bb5e5e2ebdf12d4af56b624f&id=8&backtopage=/dolibarr/accountancy/admin/account.php?&contextpage=accountingaccountlist page=/dolibarr/accountancy/admin/card.php?action=update&token=d0469427bb5e5e2ebdf12d4af56b624f&id=8&backtopage=%2Fdolibarr%2Faccountancy%2Fadmin%2Faccount.php%3F%26contextpage%3Daccountingaccountlist
The part of the link that causes the problem is the following:
&backtopage=%2Fdolibarr%2Faccountancy%2Fadmin%2Faccount.php%3F%26contextpage%3Daccountingaccountlist
What can be done to prevent this extra HTML code from appearing and causing the problem?
By the way, I tried the solution indicated by berndseibe, but it didn’t work for me 
Greetings and thanks in advance.
A thousand apologies for my English.
