XSS in MSIE using NUL byte, thanks to JPCERT.

This commit is contained in:
Michal Čihař
2008-09-22 10:13:32 +00:00
parent f8d65ec564
commit 44f9f2f8b7
2 changed files with 8 additions and 0 deletions

View File

@@ -11,6 +11,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- [core] do not automatically set and create TempDir, it might lead to security
issue (thanks to Thijs Kinkhorst)
2.11.9.2 (2008-09-22)
- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
2.11.9.1 (2008-09-15)
- [security] Code execution vulnerability, thanks to Norman Hippert

View File

@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
* enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with \' and end of script block
*
* We also remove NUL byte as some browsers (namely MSIE) ignore it and
* it and inserting it anywhere inside </script would allow to pass this
* check.
*
* @uses strtr()
* @uses preg_replace()
* @param string $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
{
return preg_replace('@</script@i', '</\' + \'script',
strtr($string, array(
"\000" => '',
'\\' => '\\\\',
'\'' => '\\\'',
"\n" => '\n',