[security] Fix self-XSS in setup, trusted proxies validation, see PMA…

…SA-2013-9
phpmyadmin · Jul 7, 2013 · e0d8568 · e0d8568
1 parent d096a0f
commit e0d8568
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -4,6 +4,7 @@ phpMyAdmin - ChangeLog
 4.0.4.2 (not released yet)
 - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
 - [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+- [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
 
 4.0.4.1 (2013-06-30)
 - [security] Global variables scope injection vulnerability (see PMASA-2013-7)

diff --git a/libraries/config/validate.lib.php b/libraries/config/validate.lib.php
@@ -432,7 +432,7 @@ function validate_trusted_proxies($path, $values)
         $matches = array();
         // we catch anything that may (or may not) be an IP
         if (!preg_match("/^(.+):(?:[ ]?)\\w+$/", $line, $matches)) {
-            $result[$path][] = __('Incorrect value') . ': ' . $line;
+            $result[$path][] = __('Incorrect value') . ': ' . htmlspecialchars($line);
             continue;
         }
         // now let's check whether we really have an IP address