I was going back in the history seeing how the current security scan (paranoid one) came about
(iframe|\\<\\?|\\<%|html|eval|body|script\W|[CF]WS[\x01-\x0C]) //Improved regular expression detection
(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W) // Don't allow the word 'description' to trigger a false positive.
(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script) // Added protection against <?= and <%=
(iframe|\\<\\?php|\\<\\?\s|\\<%\s|html|eval|body|script) // Relax the conditions for an avatar to be refused.
(iframe|\\<\\?php|\\<\\?|\\<%|html|eval|body|script) // Prevent certain ascii data to appear in avatars
The current one looks for \< or \<\ or \<% and will fail ... seems pretty strict to me, so strict in fact that probably no one uses it since the odds of find \< are darn good.
Looking at the progression, I don't think that was the intention but wanted to get some others thoughts on that. I'm not sure what the signature in the file would be. Even the earlier ones of |\\<\\?php which means \<php or \<\php don't make sense to me, I could see \\<\\\?php or even \\<\\?\?php
Any of you at heart hackers have insight on this one?