From 6efe63b35491a641401a265a2fd2e8aa88cfe1f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Mon, 22 Sep 2008 10:13:32 +0000
Subject: [PATCH] XSS in MSIE using NUL byte, thanks to JPCERT.

---
 ChangeLog                   | 3 +++
 libraries/js_escape.lib.php | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 4698f2387..e685b4166 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
 
+2.11.9.2 (2008-09-22)
+- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
+
 2.11.9.1 (2008-09-15)
 - [security] Code execution vulnerability, thanks to Norman Hippert
 
diff --git a/libraries/js_escape.lib.php b/libraries/js_escape.lib.php
index 9d128aa31..d4dfb5604 100644
--- a/libraries/js_escape.lib.php
+++ b/libraries/js_escape.lib.php
@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
  * enclosed by <![CDATA[ ... ]]>
  * this requires only to escape ' with \' and end of script block
  *
+ * We also remove NUL byte as some browsers (namely MSIE) ignore it and
+ * it and inserting it anywhere inside </script would allow to pass this
+ * check.
+ *
  * @uses    strtr()
  * @uses    preg_replace()
  * @param   string  $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
 {
     return preg_replace('@</script@i', '</\' + \'script',
                         strtr($string, array(
+                                "\000" => '',
                                 '\\' => '\\\\',
                                 '\'' => '\\\'',
                                 "\n" => '\n',