From 6d6f47bdb2c7f5519dcc6497a6ebf9ebc305e6de Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Wed, 28 Jun 2006 15:39:56 +0000
Subject: [PATCH] escape allowed parameters from non-token requests

---
 ChangeLog                | 2 ++
 libraries/common.lib.php | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 6074c5f0e..144ffa03a 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,8 @@ $Source$
 
 2006-06-28 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/Config.class.php: remove debug code
+    * libraries/common.lib.php: escape allowed parameters from non-token 
+      requests
 
 2006-06-27 Michal Čihař  <michal@cihar.com>
     * libraries/import/csv.php: Fix special case of Excel export with ; at the
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 564a0b2b3..b59ec9ba9 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -2808,6 +2808,9 @@ if (!isset($_REQUEST['token']) || $_SESSION['PMA_token'] != $_REQUEST['token'])
             unset($_GET[$key]);
             unset($_POST[$key]);
             unset($GLOBALS[$key]);
+        } else {
+            // allowed stuff could be compromised so escape it
+            $_REQUEST[$key] = htmlspecialchars($_REQUEST[$key]);
         }
     }
 }