From 116fe9e05055b5f2002dfca7c9bcadcdc6c53dea Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Fri, 9 Nov 2007 19:27:37 +0000
Subject: [PATCH] fixed possible XSS in database name - thanks to Omer Singer,
 The DigiTrust Group

---
 ChangeLog                         |  1 +
 libraries/List_Database.class.php | 28 ++++++++++++++++------------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e709b9e03..e7fe8aeea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 
 2.11.2.1 (not yet released)
 - fixed possible SQL injection using database name
+- fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group
 
 2.11.2.0 (2007-10-27)
 - patch #1791576 HTTP auth: support REDIRECT_REMOTE_USER, thanks to Allard
diff --git a/libraries/List_Database.class.php b/libraries/List_Database.class.php
index 64c2bd7cf..13274453b 100644
--- a/libraries/List_Database.class.php
+++ b/libraries/List_Database.class.php
@@ -340,25 +340,29 @@ require_once './libraries/List.class.php';
             $selected = $this->getDefault();
         }
 
-    $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
+        $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
         foreach ($this->getGroupedDetails($offset, $count) as $group => $dbs) {
             if (count($dbs) > 1) {
-                $return .= '<li>' . $group . '<ul>' . "\n";
+                $return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n";
                 // wether display db_name cuted by the group part
-                $cut = true;
+                $cut = htmlspecialchars($db['disp_name_cut']);
             } else {
                 // .. or full
-                $cut = false;
+                $cut = htmlspecialchars($db['disp_name']);
             }
             foreach ($dbs as $db) {
-            $return .= '<li';
-            if ($db['name'] == $selected) {
-                $return .= ' class="selected"';
-            }
-        $return .= '><a' . (! empty($db['comment']) ? ' title="' . $db['comment'] . '"' : '') . ' href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">';
-                $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name'])
-            .' (' . $db['num_tables'] . ')';
-        $return .= '</a></li>' . "\n";
+                $return .= '<li';
+                if ($db['name'] == $selected) {
+                    $return .= ' class="selected"';
+                }
+                $return .= '><a';
+                if (! empty($db['comment'])) {
+                    $return .= ' title="' . htmlspecialchars($db['comment']) . '"';
+                }
+                $return .= ' href="index.php?' . PMA_generate_common_url($db['name'])
+                    . '" target="_parent">';
+                $return .= $cut .' (' . $db['num_tables'] . ')';
+                $return .= '</a></li>' . "\n";
             }
             if (count($dbs) > 1) {
                 $return .= '</ul></li>' . "\n";