Skip to content

Commit 29a1f56

Browse files
author
Marc Delisle
committed
bug #4492 [security] XSS in AJAX confirmation messages
Signed-off-by: Marc Delisle <marc@infomarc.info>
1 parent 61a9484 commit 29a1f56

File tree

3 files changed

+4
-2
lines changed

3 files changed

+4
-2
lines changed

Diff for: ChangeLog

+1
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ phpMyAdmin - ChangeLog
1515
- bug #4459 First few characters of database name aren't clickable when expanded
1616
- bug #4486 [security] XSS injection due to unescaped table comment
1717
- bug #4488 [security] XSS injection due to unescaped table name (triggers)
18+
- bug #4492 [security] XSS in AJAX confirmation messages
1819

1920
4.2.5.0 (2014-06-26)
2021
- bug #4467 shell_exec() has been disabled for security reasons

Diff for: js/functions.js

+2-2
Original file line numberDiff line numberDiff line change
@@ -3548,7 +3548,7 @@ AJAX.registerOnload('functions.js', function () {
35483548
var question = PMA_messages.strDropTableStrongWarning + ' ';
35493549
question += $.sprintf(
35503550
PMA_messages.strDoYouReally,
3551-
'DROP TABLE ' + PMA_commonParams.get('table')
3551+
'DROP TABLE ' + escapeHtml(PMA_commonParams.get('table'))
35523552
);
35533553

35543554
$(this).PMA_confirm(question, $(this).attr('href'), function (url) {
@@ -3614,7 +3614,7 @@ AJAX.registerOnload('functions.js', function () {
36143614
var question = PMA_messages.strTruncateTableStrongWarning + ' ';
36153615
question += $.sprintf(
36163616
PMA_messages.strDoYouReally,
3617-
'TRUNCATE ' + PMA_commonParams.get('table')
3617+
'TRUNCATE ' + escapeHtml(PMA_commonParams.get('table'))
36183618
);
36193619
$(this).PMA_confirm(question, $(this).attr('href'), function (url) {
36203620
PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);

Diff for: js/tbl_structure.js

+1
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,7 @@ AJAX.registerOnload('tbl_structure.js', function () {
198198
* @var curr_column_name String containing name of the field referred to by {@link curr_row}
199199
*/
200200
var curr_column_name = $curr_row.children('th').children('label').text();
201+
curr_column_name = escapeHtml(curr_column_name);
201202
/**
202203
* @var $after_field_item Corresponding entry in the 'After' field.
203204
*/

0 commit comments

Comments
 (0)