From 7dc6cea06522b2d4af50934c983f3967540a4918 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:09:13 +0200
Subject: [PATCH] Fix XSS on tablename and pred_tablename.

---
 server_privileges.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server_privileges.php b/server_privileges.php
index 566401625..b11a96fa5 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1923,7 +1923,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
             if (isset($tablename)) {
                 echo ' [ ' . $GLOBALS['strTable'] . ' <a href="'
                     . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query']
-                    . '&amp;db=' . $url_dbname . '&amp;table=' . urlencode($tablename)
+                    . '&amp;db=' . $url_dbname . '&amp;table=' . htmlspecialchars(urlencode($tablename))
                     . '&amp;reload=1">' . htmlspecialchars($tablename) . ': '
                     . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable'])
                     . "</a> ]\n";