From b49d14dbc181f17e6466fa9b13efecf230d2134e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Mon, 22 Sep 2008 10:13:32 +0000
Subject: [PATCH] XSS in MSIE using NUL byte, thanks to JPCERT.

---
 ChangeLog                   | 3 +++
 libraries/js_escape.lib.php | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 46bbe5554..bbe60063b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -88,6 +88,9 @@ danbarry
 + [lang] Hungarian update, thanks to Jozsef Tamas Herczeg - dodika 
 - bug #2113848 [navi] Page number after database switching 
 
+2.11.9.2 (2008-09-22)
+- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
+
 2.11.9.1 (2008-09-15)
 - [security] Code execution vulnerability, thanks to Norman Hippert
 
diff --git a/libraries/js_escape.lib.php b/libraries/js_escape.lib.php
index 9d128aa31..d4dfb5604 100644
--- a/libraries/js_escape.lib.php
+++ b/libraries/js_escape.lib.php
@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
  * enclosed by <![CDATA[ ... ]]>
  * this requires only to escape ' with \' and end of script block
  *
+ * We also remove NUL byte as some browsers (namely MSIE) ignore it and
+ * it and inserting it anywhere inside </script would allow to pass this
+ * check.
+ *
  * @uses    strtr()
  * @uses    preg_replace()
  * @param   string  $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
 {
     return preg_replace('@</script@i', '</\' + \'script',
                         strtr($string, array(
+                                "\000" => '',
                                 '\\' => '\\\\',
                                 '\'' => '\\\'',
                                 "\n" => '\n',