You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
add html escaped in move.js and database_tables.twig , but it look like just add filter at output .
in my point, if fix sqlinject should add filter at input point,but i cannot find where is the inject point.
the commit for sure can anti xss ,but how it anti sql, can u give me some tips.
i not sure my questions is right , if any wrong, i will delete this question...
thank you!
The text was updated successfully, but these errors were encountered:
Hi, @djerrystyle. Thanks for the question.
phpMyAdmin escapes the database/table names at output, because we don't want to restrict the possible names.
For example <script>alert('XSS')</script> and <script>alert('XSS')</script> are both valid and different database/table names and we don't want to confuse the user.
I think perhaps the wording of the PMASA was a bit unclear here as well; as I recall the initial problem that William discovered was thought to be an SQL injection, but in fixing that it was discovered that the output was interpreted rather than displayed (which was more of an XSS attack) and it seems that perhaps I never updated the PMASA with those details.
the comit "ff541af#diff-318d13940f6a71a40c408f13d1c24512" fix "sql injection".
add html escaped in move.js and database_tables.twig , but it look like just add filter at output .
in my point, if fix sqlinject should add filter at input point,but i cannot find where is the inject point.
the commit for sure can anti xss ,but how it anti sql, can u give me some tips.
i not sure my questions is right , if any wrong, i will delete this question...
thank you!
The text was updated successfully, but these errors were encountered: