Escape HTML in js-generated confirmation messages

2011-09-08 15:38:40 -04:00
parent 2f28ce9c80
commit bda213c58a
3 changed files with 17 additions and 5 deletions
--- a/js/tbl_structure.js
+++ b/js/tbl_structure.js
@@ -44,7 +44,7 @@ $(document).ready(function() {
        /**
         * @var question    String containing the question to be asked for confirmation
         */
-        var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` DROP `' + curr_column_name + '`';
+        var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) + '`';

        $(this).PMA_confirm(question, $(this).attr('href'), function(url) {

@@ -83,7 +83,7 @@ $(document).ready(function() {
        /**
         * @var question    String containing the question to be asked for confirmation
         */
-        var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name + '`)';
+        var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' + escapeHtml(curr_column_name) + '`)';

        $(this).PMA_confirm(question, $(this).attr('href'), function(url) {