[security] Self-XSS on database names (Operations/rename), see PMASA-2011-18

ChangeLog

@@ -20,6 +20,7 @@ phpMyAdmin - ChangeLog
 - bug #3425156 [interface] Add column after drop
 - [interface] Avoid showing the password in phpinfo()'s output
 - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
+- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import

js/db_operations.js

@@ -32,7 +32,7 @@ $(document).ready(function() {
 
         var $form = $(this);
 
-        var question = 'CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db;
+        var question = escapeHtml('CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db);
 
         PMA_prepareForAjaxRequest($form);
         /**