From 1fe1aa6c0e2d85bed1343f4be21d672368e0a9c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:23:13 +0200
Subject: [PATCH] Fix XSS on tablename and pred_tablename.

---
 server_privileges.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server_privileges.php b/server_privileges.php
index 1e6d64edc..da1c248f9 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1598,7 +1598,7 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
             $url_dbname = htmlspecialchars(urlencode(str_replace('\_', '_', $dbname)));
             echo ' <i><a href="' . $GLOBALS['cfg']['DefaultTabDatabase'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;reload=1">' . htmlspecialchars($dbname) . '</a></i>' . "\n";
             if (isset($tablename) && strlen($tablename)) {
-                echo '    - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;table=' . urlencode($tablename) . '&amp;reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n";
+                echo '    - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;table=' . htmlspecialchars(urlencode($tablename)) . '&amp;reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n";
             }
             unset($url_dbname);
         }