XSS Vulnerability

[prodigysml]

There are multiple instances of XSS within PHPMiniAdmin. Some of them are stored, which implies that it will persist for all users and social engineering is not required.

The easiest way to patch this is simply use htmlentities every time you echo something.

[osalabs]

Could you please describe specific places where "multiple instances of XSS" exists?

I already reviewed and fixed such issues, but I might miss some place.

[prodigysml]

If the database name is an XSS payload, it will execute the javascript. I am actually working on a quick patch which I will give to you as a pull request which should fix these issues, if that is okay with you :)

[osalabs]

yes, that would be nice, thank you

[prodigysml]

I have added in a pull request for this bug. Here is the pull request: #29

[prodigysml]

Just a quick reminder about the patch for XSS :)

[osalabs]

Thank you for reminder, I reviewed patch and it need some changes. Once done, I'll test it in full.

[osalabs]

fixed in 1.9.170730