- fixed XSS in server_status.php, thanks to Omer Singer, The DigiTrust Group

- fixed some possible XSS with PHP_SELF (PATH_INFO)

libraries/common.lib.php

@@ -1449,6 +1449,7 @@ function PMA_localisedDate($timestamp = -1, $format = '')
  * returns a tab for tabbed navigation.
  * If the variables $link and $args ar left empty, an inactive tab is created
  *
+ * @uses    $GLOBALS['PMA_PHP_SELF']
  * @uses    $GLOBALS['strEmpty']
  * @uses    $GLOBALS['strDrop']
  * @uses    $GLOBALS['active_page']
@@ -1492,7 +1493,7 @@ function PMA_getTab($tab)
         } elseif (!empty($tab['active'])
           || (isset($GLOBALS['active_page'])
                && $GLOBALS['active_page'] == $tab['link'])
-          || (basename(PMA_getenv('PHP_SELF')) == $tab['link'] && empty($tab['warning'])))
+          || (basename($GLOBALS['PMA_PHP_SELF']) == $tab['link'] && empty($tab['warning'])))
         {
             $tab['class'] = 'active';
         }
@@ -1788,6 +1789,7 @@ function PMA_flipstring($string, $Separator = "<br />\n")
  * @todo    use PMA_fatalError() if $die === true?
  * @uses    PMA_getenv()
  * @uses    header_meta_style.inc.php
+ * @uses    $GLOBALS['PMA_PHP_SELF']
  * basename
  * @param   array   The names of the parameters needed by the calling
  *                  script.
@@ -1809,7 +1811,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
         $checked_special = false;
     }
 
-    $reported_script_name = basename(PMA_getenv('PHP_SELF'));
+    $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
     $found_error = false;
     $error_message = '';