Skip to content
Browse files

Escape HTML in js-generated confirmation messages

  • Loading branch information...
1 parent 2f28ce9 commit bda213c58aec44925be661acb0e76c19483ea170 @lem9 lem9 committed Sep 8, 2011
Showing with 17 additions and 5 deletions.
  1. +2 −1 ChangeLog
  2. +13 −2 js/functions.js
  3. +2 −2 js/tbl_structure.js
View
3 ChangeLog
@@ -11,6 +11,8 @@ phpMyAdmin - ChangeLog
- [export] Remove native Excel export modules (xls and xlsx formats)
- [import] Remove native Excel import modules (xls and xlsx formats)
- bug #3392920 [edit] BLOB emptied after editing another column
+- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14
+- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
3.4.4.0 (2011-08-24)
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes
@@ -31,7 +33,6 @@ phpMyAdmin - ChangeLog
- bug #3374347 [display] Backquotes in normal text on import page
- bug #3358750 [core] With Suhosin, urls are too long in edit links
- [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13
-- [security] Fixed XSS in Inline Edit on save action
3.4.3.2 (2011-07-23)
- [security] Fixed XSS vulnerability, see PMASA-2011-9
View
15 js/functions.js
@@ -172,7 +172,7 @@ function selectContent( element, lock, only_once ) {
}
/**
- * Displays a confirmation box before to submit a "DROP/DELETE/ALTER" query.
+ * Displays a confirmation box before submitting a "DROP/DELETE/ALTER" query.
* This function is called while clicking links
*
* @param object the link
@@ -1657,7 +1657,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + window.parent.db;
+ var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + escapeHtml(window.parent.db);
$(this).PMA_confirm(question, $(this).attr('href') ,function(url) {
@@ -2287,3 +2287,14 @@ $(document).ready(function() {
}) // end of $(document).ready()
+/**
+ * HTML escaping
+ */
+function escapeHtml(unsafe) {
+ return unsafe
+ .replace(/&/g, "&")
+ .replace(/</g, "&lt;")
+ .replace(/>/g, "&gt;")
+ .replace(/"/g, "&quot;")
+ .replace(/'/g, "&#039;");
+}
View
4 js/tbl_structure.js
@@ -44,7 +44,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` DROP `' + curr_column_name + '`';
+ var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) + '`';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {
@@ -83,7 +83,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name + '`)';
+ var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' + escapeHtml(curr_column_name) + '`)';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {

0 comments on commit bda213c

Please sign in to comment.
Something went wrong with that request. Please try again.