[security] XSS: Insufficient output sanitizing in bookmarks

This commit is contained in:
Marc Delisle
2009-06-30 10:48:08 +00:00
parent 15a8349164
commit 2a893aba92
3 changed files with 5 additions and 2 deletions

View File

@@ -27,6 +27,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #2809930 [setup] Notice: Undefined variable: k in setup/index.php
- bug [features] Incorrect report of missing relational features
3.2.0.1 (2009-06-30)
- [security] XSS: Insufficient output sanitizing in bookmarks
3.2.0.0 (2009-06-15)
- [core] better support for vendor customisation (based on what Debian needs)
+ rfe #2127987 warn when session.gc_maxlifetime is less than cookie validity

View File

@@ -305,7 +305,7 @@ function PMA_formatSql($parsed_sql, $unparsed_sql = '')
// well, not quite
// first check for the SQL parser having hit an error
if (PMA_SQP_isError()) {
return $parsed_sql;
return htmlspecialchars($parsed_sql['raw']);
}
// then check for an array
if (!is_array($parsed_sql)) {

View File

@@ -311,7 +311,7 @@ if (isset($GLOBALS['show_as_php']) || !empty($GLOBALS['validatequery'])) {
$table = '';
}
$active_page = $goto;
$message = PMA_Message::rawError($error);
$message = htmlspecialchars(PMA_Message::rawError($error));
/**
* Go to target path.
*/