From 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 11:35:42 +0200
Subject: [PATCH] Escape error message coming from MySQL to avoid XSS on bad
 parameters.

---
 libraries/dbi/mysql.dbi.lib.php  | 2 ++
 libraries/dbi/mysqli.dbi.lib.php | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php
index 275458832..4750ee225 100644
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     // Some errors messages cannot be obtained by mysql_error()
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];
diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php
index 913bce627..52f760140 100644
--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -406,6 +406,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];
     } else {