From 6028221d97efa2a7d56a61ab4c5750d1b2343619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:07:45 +0200
Subject: [PATCH] Fix XSS on dbname.

---
 server_privileges.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server_privileges.php b/server_privileges.php
index 93cab9544..566401625 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1600,7 +1600,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
             if (isset($tablename)) {
                 echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query']
                     . '&amp;username=' . urlencode($username) . '&amp;hostname=' . urlencode($hostname)
-                    . '&amp;dbname=' . $url_dbname . '&amp;tablename=">' . htmlspecialchars($dbname) . '</a></i>';
+                    . '&amp;dbname=' . htmlspecialchars($url_dbname) . '&amp;tablename=">' . htmlspecialchars($dbname) . '</a></i>';
                 echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>';
             } else {
                 echo ' <i>' . htmlspecialchars($dbname) . '</i>';
@@ -1836,14 +1836,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
                        . '    <td>';
                     printf($link_edit, urlencode($username),
                         urlencode($hostname),
-                        urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+                        urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                         urlencode((! isset($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
                         printf($link_revoke, urlencode($username),
                             urlencode($hostname),
-                            urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+                            urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                             urlencode((! isset($dbname)) ? '' : $row['Table_name']));
                     }
                     echo '</td>' . "\n"