From dac8d6ce256333ff45b5f46270304b8657452740 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Tue, 22 Nov 2011 12:46:46 -0500
Subject: [PATCH] [security] Self-XSS on column type (table Search), see
 PMASA-2011-18

---
 ChangeLog      | 1 +
 tbl_select.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f7eb3e5d8..b8f159afe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@ phpMyAdmin - ChangeLog
 - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
 - [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
 - [security] Self-XSS on column type (Create index), see PMASA-2011-18
+- [security] Self-XSS on column type (table Search), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/tbl_select.php b/tbl_select.php
index 2cb008629..841422292 100644
--- a/tbl_select.php
+++ b/tbl_select.php
@@ -124,7 +124,7 @@ if (!isset($param) || $param[0] == '') {
         ?>
         <tr class="noclick <?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
             <th><?php echo htmlspecialchars($fields_list[$i]); ?></th>
-            <td><?php echo $fields_type[$i]; ?></td>
+            <td><?php echo htmlspecialchars($fields_type[$i]); ?></td>
             <td><?php echo $fields_collation[$i]; ?></td>
             <td><select name="func[]">
         <?php
@@ -190,7 +190,7 @@ if (!isset($param) || $param[0] == '') {
             <?php
         } elseif (strncasecmp($fields_type[$i], 'enum', 4) == 0) {
             // e n u m s
-            $enum_value=explode(', ', str_replace("'", '', substr($fields_type[$i], 5, -1)));
+            $enum_value=explode(', ', str_replace("'", '', substr(htmlspecialchars($fields_type[$i]), 5, -1)));
             $cnt_enum_value = count($enum_value);
             echo '            <select name="fields[' . $i . '][]"'
                 .' multiple="multiple" size="' . min(3, $cnt_enum_value) . '">' . "\n";