unneeded check for <

[emanuelb]

1. in:
   https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/LanguageManager.php#L846

        if ($accepted_languages && false === mb_strpos($accepted_languages, '<')) {

The matchesAcceptLanguage function use the value of $accepted_languages in preg_match call that will determinate if $language will be returned (it match the $accepted_languages)
Thus, the below:

 && false === mb_strpos($accepted_languages, '<')

need to be removed.

2. in:
   

   phpmyadmin/libraries/plugins/auth/AuthenticationHttp.php

   Line 129 in 9517695

   && false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')

                && false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')

also look useless (exists only in parsing of one of AUTHORIZATION headers, username can contain <)

[nijel]

It was added as XSS prevention (see 63508c4 and 2d6e0f0). However it indeed seems a bit weird. Though this was in time where everything was put into globals.

[emanuelb]

The point in 2 (and this bug report) is:

1. it's better to use htmlspecialchars/urlencode (correct output escaping) in relevant places that output content to prevent XSS instead of disallowing < in input.
2. Where is in the code the value that come from AUTHORIZATION header / $accepted_languages variable are printed? (the sink) as I didn't found any such insecure flow, it's ok to remove this check.
3. the above commit point to file that doesn't exists anymore in master (grab_globals.lib.php)

[nijel]

I've removed these as indeed the check is not needed anymore. It does come from ages where all environment were in globals and to avoid problems with XSS, anything containing < was simply rejected. The code was simply copied over and over without much thinking what is it's purpose.