fixed bug #1433882 html special chars not escaped in query in querybox

2006-02-18 13:51:11 +00:00
parent 29b387b350
commit 2433c3f2af
2 changed files with 56 additions and 53 deletions
--- a/3
+++ b/3
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
 $Id$
 $Source$

+2006-02-17 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/sql_query_form.lib.php:
+      fixed bug #1433882 html special chars not escaped in query in querybox
 2006-02-17 Marc Delisle  <lem9@users.sourceforge.net>
    * lang/*, db_details_structure.php:
      bug #1431352, no %d in strViewMaxExactCount
--- a/libraries/sql_query_form.lib.php
+++ b/libraries/sql_query_form.lib.php
@@ -11,8 +11,8 @@
 * @usedby  querywindow.php
 */

-require_once('./libraries/file_listing.php'); // used for file listing
-require_once('./libraries/bookmark.lib.php'); // used for file listing
+require_once './libraries/file_listing.php'; // used for file listing
+require_once './libraries/bookmark.lib.php'; // used for file listing

 /**
 * prints the sql query boxes
@@ -276,7 +276,7 @@ function PMA_sqlQueryFormInsert($query = '', $is_querywindow = false)
        .'  cols="' . $GLOBALS['cfg']['TextareaCols'] . '"'
        .'  rows="' . $GLOBALS['cfg']['TextareaRows'] . '"'
        .'  dir="' . $GLOBALS['text_dir'] . '"'
-        .$auto_sel . $locking . '>' . $query . '</textarea>' . "\n";
+        .$auto_sel . $locking . '>' . htmlspecialchars($query) . '</textarea>' . "\n";
    echo '</div>' . "\n";

    if (count($fields_list)) {