nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make better use of PMA_generate_common_url to prevent XSS

Browse Source
This commit is contained in:
Herman van Rink
2011-08-05 11:45:16 +02:00
parent 9d54e57fc8
commit e11e55cb06
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tbl_tracking.php
View File

@@ -382,7 +382,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
<small><?php echo $strTrackingStatements . ' ' . htmlspecialchars($data['tracking']); ?></small><br/>
<br/>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
<form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
$str1 = '<select name="logtype">' .
@@ -500,7 +500,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
}
?>
</form>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
<form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
printf($strTrackingShowLogDateUsers, $str1, $str2, $str3, $str4, $str5);
@@ -513,7 +513,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
$str_export2 = '<input type="submit" name="report_export" value="' . $strGo .'" />';
?>
</form>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
<form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
<input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
<input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
@@ -622,7 +622,11 @@ if ($last_version > 0) {
<td><?php echo $version['date_created'];?></td>
<td><?php echo $version['date_updated'];?></td>
<td><?php echo $version_status;?></td>
<td> <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;report=true&amp;version=<?php echo $version['version'];?>"><?php echo $strTrackingReport;?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;snapshot=true&amp;version=<?php echo $version['version'];?>"><?php echo $strTrackingStructureSnapshot;?></a></td>
<td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version'])
);?>"><?php echo $strTrackingReport;?></a>
| <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version'])
);?>"><?php echo $strTrackingStructureSnapshot;?></a>
</td>
</tr>
<?php
if ($style == 'even') {