Use javascript for redirection to https

The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Jun 15, 2016 · 1dca386 · 1dca386
1 parent 6e07862
commit 1dca386
Showing 1 changed file with 12 additions and 15 deletions.
diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php
@@ -73,21 +73,18 @@
         . 'sensitive information, like passwords) is transferred unencrypted!'
     );
 
-    if (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
-        $link = htmlspecialchars(
-            'https://' .  $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
-        );
-        $text .= ' ';
-        $text .= PMA_sanitize(
-            sprintf(
-                __(
-                    'If your server is also configured to accept HTTPS requests '
-                    . 'follow [a@%s]this link[/a] to use a secure connection.'
-                ),
-                $link
-            )
-        );
-    }
+    $text .= ' <a href="#" onclick="window.location.href = \'https:\' + window.location.href.substring(window.location.protocol.length);">';
+
+    // Temporary workaround to use tranlated message in older releases
+    $text .= str_replace(
+        array('[a@%s]', '[/a]'),
+        array('', ''),
+        __(
+            'If your server is also configured to accept HTTPS requests '
+            . 'follow [a@%s]this link[/a] to use a secure connection.'
+        )
+    );
+    $text .= '</a>';
     PMA_messagesSet('notice', 'no_https', __('Insecure connection'), $text);
 }