Added some html quoting.

2003-08-05 17:12:48 +00:00
parent defa87298e
commit 5becc1f284
6 changed files with 12 additions and 10 deletions
--- a/2
+++ b/2
@@ -17,6 +17,8 @@ $Source$
      libraries/config_import.lib.php3, config.inc.php3: Allow column headers
      for Excel export (bug #771299).
    * header.inc.php3: Don't allow including this file twice.
+    * db_details.php3, db_details_importdocsql.php3, export.php3,
+      tbl_move_copy.php3, tbl_rename.php3: Added some html quoting.

 2003-08-05 Marc Delisle  <lem9@users.sourceforge.net>
    * libraries/sqlparser.data.php3: bug 779453, wrong count
--- a/db_details.php3
+++ b/db_details.php3
@@ -59,7 +59,7 @@ $auto_sel  = ($cfg['TextareaAutoSelect']
    <input type="hidden" name="goto" value="db_details.php3" />
    <input type="hidden" name="zero_rows" value="<?php echo htmlspecialchars($strSuccess); ?>" />
    <input type="hidden" name="prev_sql_query" value="<?php echo ((!empty($query_to_display)) ? htmlspecialchars($query_to_display) : ''); ?>" />
-    <?php echo sprintf($strRunSQLQuery, $db) . ' ' . PMA_showMySQLDocu('Reference', 'SELECT'); ?>&nbsp;:<br />
+    <?php echo sprintf($strRunSQLQuery, htmlspecialchars($db)) . ' ' . PMA_showMySQLDocu('Reference', 'SELECT'); ?>&nbsp;:<br />
    <div style="margin-bottom: 5px">
 <textarea name="sql_query" cols="<?php echo $cfg['TextareaCols'] * 2; ?>" rows="<?php echo $cfg['TextareaRows']; ?>" wrap="virtual" dir="<?php echo $text_dir; ?>"<?php echo $auto_sel; ?>>
 <?php echo ((!empty($query_to_display)) ? htmlspecialchars($query_to_display) : ''); ?>
--- a/db_details_importdocsql.php3
+++ b/db_details_importdocsql.php3
@@ -103,7 +103,7 @@ global $GLOBALS;
        return 1;
    } else {
        if ($content != 'none') {
-            echo '<p><font color="orange">' . sprintf($GLOBALS['strIgnoringFile'], ' ' . $file) . '</font></p>' . "\n";
+            echo '<p><font color="orange">' . sprintf($GLOBALS['strIgnoringFile'], ' ' . htmlspecialchars($file)) . '</font></p>' . "\n";
        } else {
            // garvin: disabled. Shouldn't impose ANY non-submitted files ever.
            echo '<p><font color="orange">' . sprintf($GLOBALS['strIgnoringFile'], ' ' . '...') . '</font></p>' . "\n";
--- a/export.php3
+++ b/export.php3
@@ -74,7 +74,7 @@ function PMA_exportOutputHandler($line)
            if ($GLOBALS['save_on_server']) {
                $write_result = @fwrite($GLOBALS['file_handle'], $line);
                if (!$write_result || ($write_result != strlen($line))) {
-                    $GLOBALS['message'] = sprintf($GLOBALS['strNoSpace'], $save_filename);
+                    $GLOBALS['message'] = sprintf($GLOBALS['strNoSpace'], htmlspecialchars($save_filename));
                    return FALSE;
                }
                $time_now = time();
@@ -195,13 +195,13 @@ if ($save_on_server) {
    $save_filename = $cfg['SaveDir'] . ereg_replace('[/\\]','_',$filename);
    unset($message);
    if (file_exists($save_filename) && empty($onserverover)) {
-        $message = sprintf($strFileAlreadyExists, $save_filename);
+        $message = sprintf($strFileAlreadyExists, htmlspecialchars($save_filename));
    } else {
        if (is_file($save_filename) && !is_writable($save_filename)) {
-            $message = sprintf($strNoPermission, $save_filename);
+            $message = sprintf($strNoPermission, htmlspecialchars($save_filename));
        } else {
            if (!$file_handle = @fopen($save_filename, 'w')) {
-                $message = sprintf($strNoPermission, $save_filename);
+                $message = sprintf($strNoPermission, htmlspecialchars($save_filename));
            }
        }
    }
@@ -418,9 +418,9 @@ if (!empty($asfile)) {
        $write_result = @fwrite($file_handle, $dump_buffer);
        fclose($file_handle);
        if (strlen($dump_buffer) !=0 && (!$write_result || ($write_result != strlen($dump_buffer)))) {
-            $message = sprintf($strNoSpace, $save_filename);
+            $message = sprintf($strNoSpace, htmlspecialchars($save_filename));
        } else {
-            $message = sprintf($strDumpSaved, $save_filename);
+            $message = sprintf($strDumpSaved, htmlspecialchars($save_filename));
        }

        $js_to_run = 'functions.js';
--- a/tbl_move_copy.php3
+++ b/tbl_move_copy.php3
@@ -390,7 +390,7 @@ if (isset($new_name) && trim($new_name) != '') {
        }

        $message   = (isset($submit_move) ? $strMoveTableOK : $strCopyTableOK);
-        $message   = sprintf($message, $source, $target);
+        $message   = sprintf($message, htmlspecialchars($source), htmlspecialchars($target));
        $reload    = 1;
        $js_to_run = 'functions.js';
        /* Check: Work on new table or on old table? */
--- a/tbl_rename.php3
+++ b/tbl_rename.php3
@@ -37,7 +37,7 @@ if (isset($new_name) && trim($new_name) != '') {
    PMA_mysql_select_db($db);
    $sql_query = 'ALTER TABLE ' . PMA_backquote($old_name) . ' RENAME ' . PMA_backquote($new_name);
    $result    = PMA_mysql_query($sql_query) or PMA_mysqlDie('', '', '', $err_url);
-    $message   = sprintf($strRenameTableOK, $old_name, $table);
+    $message   = sprintf($strRenameTableOK, htmlspecialchars($old_name), htmlspecialchars($table));
    $reload    = 1;

    // garvin: Move old entries from comments to new table