Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

XSS in MSIE using NUL byte, thanks to JPCERT.

  • Loading branch information...
commit 0d219abdcd55c11f7f629a58a2279f0839bd2acc 1 parent c4c683b
Michal Čihař nijel authored
Showing with 8 additions and 0 deletions.
  1. +3 −0  ChangeLog
  2. +5 −0 libraries/js_escape.lib.php
3  ChangeLog
View
@@ -111,6 +111,9 @@ danbarry
+ [lang] Hungarian update, thanks to Jozsef Tamas Herczeg - dodika
- bug #2113848 [navi] Page number after database switching
+2.11.9.2 (2008-09-22)
+- [security] XSS in MSIE using NUL byte, thanks to JPCERT.
+
2.11.9.1 (2008-09-15)
- [security] Code execution vulnerability, thanks to Norman Hippert
5 libraries/js_escape.lib.php
View
@@ -46,6 +46,10 @@ function PMA_jsFormat($a_string = '', $add_backquotes = true)
* enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with \' and end of script block
*
+ * We also remove NUL byte as some browsers (namely MSIE) ignore it and
+ * it and inserting it anywhere inside </script would allow to pass this
+ * check.
+ *
* @uses strtr()
* @uses preg_replace()
* @param string $string the string to be escaped
@@ -55,6 +59,7 @@ function PMA_escapeJsString($string)
{
return preg_replace('@</script@i', '</\' + \'script',
strtr($string, array(
+ "\000" => '',
'\\' => '\\\\',
'\'' => '\\\'',
"\n" => '\n',
Please sign in to comment.
Something went wrong with that request. Please try again.