From 3759bdc56de7b742b32f4d0c3f2a452b47dce191 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Tue, 13 Mar 2007 14:21:31 +0000
Subject: [PATCH] bug #1679801 [core] XSS vulnerability in PMA_sanitize()

---
 ChangeLog                    |  7 +++++++
 libraries/sanitizing.lib.php | 36 +++++++++++++++++++++++++++++++++---
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6a6ca24b7..cd1e4cce6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,13 @@ $HeadURL$
 - bug [core] undefined variable in libraries/tbl_replace_fields.inc.php
 - bug [gui] query window icon did not work, thanks to Jürgen Wind - windkiel
 . [general] use PMA_getenv('PHP_SELF')
+- bug #1673599 [core] Call to undefined function PMA_isSuperuser()
+- bug [core] XSS vulnerability in PMA_sanitize(), thanks to sp3x SecurityReason
+
+2.10.0.3 (not released yet)
+=====================
+
+- bug #1679801 [core] XSS vulnerability in PMA_sanitize(), thanks to sp3x SecurityReason
 
 2.10.0.2 (2007-03-02)
 =====================
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index b36af285a..ba42f2de3 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -1,11 +1,17 @@
 <?php
-/* $Id$ */
-// vim: expandtab sw=4 ts=4 sts=4:
+/* vim: expandtab sw=4 ts=4 sts=4: */
+/**
+ *
+ * @version $Id$
+ */
 
 /**
  * Sanitizes $message, taking into account our special codes
  * for formatting
  *
+ * @uses    PMA_sanitizeUri()
+ * @uses    preg_replace()
+ * @uses    strtr()
  * @param   string   the message
  *
  * @return  string   the sanitized message
@@ -34,7 +40,31 @@ function PMA_sanitize($message)
         '[br]'      => '<br />',
         '[/a]'      => '</a>',
     );
-    return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
+    $sanitized_message = strtr($message, $replace_pairs);
+    $sanitized_message = preg_replace(
+        '/\[a@([^"@]*)@([^]"]*)\]/e',
+        '\'<a href="\' . PMA_sanitizeUri(\'$1\') . \'" target="\2">\'',
+        $sanitized_message);
+
+    return $sanitized_message;
 }
 
+/**
+ * removes javascript
+ *
+ * @uses    trim()
+ * @uses    strtolower()
+ * @uses    substr()
+ * @param   string  uri
+ */
+function PMA_sanitizeUri($uri)
+{
+    $uri = trim($uri);
+
+    if (strtolower(substr($uri, 0, 10)) === 'javascript') {
+        return '';
+    }
+
+    return $uri;
+}
 ?>