nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape user input to avoid XSS.

Browse Source
This commit is contained in:
Michal Čihař
2006-05-12 14:33:29 +00:00
parent 124a77d32e
commit 79f778db99
2 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$Source$ $Source$
2006-05-12 Michal Čihař <michal@cihar.com>
* libraries/footer.inc.php: Escape user input to avoid XSS.
2006-05-06 Michal Čihař <michal@cihar.com> 2006-05-06 Michal Čihař <michal@cihar.com>
* Documentation.html: Describe better regullar expressions in hide_db * Documentation.html: Describe better regullar expressions in hide_db
(patch #1482049, thanks to Isaac Bennetch - ibennetch). (patch #1482049, thanks to Isaac Bennetch - ibennetch).

8
libraries/footer.inc.php
View File

@@ -25,7 +25,7 @@ if (! isset($GLOBALS['no_history']) && isset($GLOBALS['db'])
$table = isset($GLOBALS['table']) ? $GLOBALS['table'] : ''; ?> $table = isset($GLOBALS['table']) ? $GLOBALS['table'] : ''; ?>
// updates current settings // updates current settings
if (window.parent.setAll) { if (window.parent.setAll) {
window.parent.setAll('<?php echo $GLOBALS['lang']; ?>', '<?php echo $GLOBALS['collation_connection']; ?>', '<?php echo $GLOBALS['server']; ?>', '<?php echo $GLOBALS['db']; ?>', '<?php echo $table; ?>'); window.parent.setAll('<?php echo $GLOBALS['lang']; ?>', '<?php echo htmlspecialchars($GLOBALS['collation_connection']); ?>', '<?php echo $GLOBALS['server']; ?>', '<?php echo htmlspecialchars($GLOBALS['db']); ?>', '<?php echo htmlspecialchars($table); ?>');
} }
<?php } ?> <?php } ?>
@@ -54,9 +54,9 @@ if (! isset($GLOBALS['no_history']) && empty($GLOBALS['error_message'])) {
// set current db, table and sql query in the querywindow // set current db, table and sql query in the querywindow
if (window.parent.refreshLeft) { if (window.parent.refreshLeft) {
window.parent.reload_querywindow( window.parent.reload_querywindow(
"<?php echo isset($GLOBALS['db']) ? addslashes($GLOBALS['db']) : '' ?>", "<?php echo isset($GLOBALS['db']) ? htmlspecialchars(addslashes($GLOBALS['db'])) : '' ?>",
"<?php echo isset($GLOBALS['table']) ? addslashes($GLOBALS['table']) : '' ?>", "<?php echo isset($GLOBALS['table']) ? htmlspecialchars(addslashes($GLOBALS['table'])) : '' ?>",
"<?php echo isset($GLOBALS['sql_query']) ? urlencode($GLOBALS['sql_query']) : ''; ?>"); "<?php echo isset($GLOBALS['sql_query']) ? htmlspecialchars(urlencode($GLOBALS['sql_query'])) : ''; ?>");
} }
<?php } ?> <?php } ?>