Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Make better use of PMA_generate_common_url to prevent XSS

  • Loading branch information...
commit e11e55cb0689b4a6de5f0d996166668a47f96da9 1 parent 9d54e57
helmo helmo authored
Showing with 8 additions and 4 deletions.
  1. +8 −4 tbl_tracking.php
12 tbl_tracking.php
View
@@ -382,7 +382,7 @@ function PMA_filter_tracking($data, $filter_ts_from, $filter_ts_to, $filter_user
<small><?php echo $strTrackingStatements . ' ' . htmlspecialchars($data['tracking']); ?></small><br/>
<br/>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
$str1 = '<select name="logtype">' .
@@ -500,7 +500,7 @@ function PMA_filter_tracking($data, $filter_ts_from, $filter_ts_to, $filter_user
}
?>
</form>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
printf($strTrackingShowLogDateUsers, $str1, $str2, $str3, $str4, $str5);
@@ -513,7 +513,7 @@ function PMA_filter_tracking($data, $filter_ts_from, $filter_ts_to, $filter_user
$str_export2 = '<input type="submit" name="report_export" value="' . $strGo .'" />';
?>
</form>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>">
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
<input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
<input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
@@ -622,7 +622,11 @@ function PMA_filter_tracking($data, $filter_ts_from, $filter_ts_to, $filter_user
<td><?php echo $version['date_created'];?></td>
<td><?php echo $version['date_updated'];?></td>
<td><?php echo $version_status;?></td>
- <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;report=true&amp;version=<?php echo $version['version'];?>"><?php echo $strTrackingReport;?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;snapshot=true&amp;version=<?php echo $version['version'];?>"><?php echo $strTrackingStructureSnapshot;?></a></td>
+ <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version'])
+);?>"><?php echo $strTrackingReport;?></a>
+ | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version'])
+);?>"><?php echo $strTrackingStructureSnapshot;?></a>
+ </td>
</tr>
<?php
if ($style == 'even') {
Please sign in to comment.
Something went wrong with that request. Please try again.