nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix for fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group

Browse Source 
sorry ... should more test ... ;-)
This commit is contained in:
Sebastian Mendel
2007-11-09 21:24:40 +00:00
parent 116fe9e050
commit e804c18084
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
libraries/List_Database.class.php
View File

@@ -345,10 +345,10 @@ require_once './libraries/List.class.php';
if (count($dbs) > 1) { if (count($dbs) > 1) {
$return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n"; $return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n";
// wether display db_name cuted by the group part // wether display db_name cuted by the group part
$cut = htmlspecialchars($db['disp_name_cut']); $cut = true;
} else { } else {
// .. or full // .. or full
$cut = htmlspecialchars($db['disp_name']); $cut = false;
} }
foreach ($dbs as $db) { foreach ($dbs as $db) {
$return .= '<li'; $return .= '<li';
@@ -361,7 +361,12 @@ require_once './libraries/List.class.php';
} }
$return .= ' href="index.php?' . PMA_generate_common_url($db['name']) $return .= ' href="index.php?' . PMA_generate_common_url($db['name'])
. '" target="_parent">'; . '" target="_parent">';
$return .= $cut .' (' . $db['num_tables'] . ')'; if ($cut) {
$return .= htmlspecialchars($db['disp_name_cut']);
} else {
$return .= htmlspecialchars($db['disp_name']);
}
$return .= ' (' . $db['num_tables'] . ')';
$return .= '</a></li>' . "\n"; $return .= '</a></li>' . "\n";
} }
if (count($dbs) > 1) { if (count($dbs) > 1) {