Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Avoid double escaping

  • Loading branch information...
commit 5ee14079b8fa7fb8c6b5e804737f9e785cb7743c 1 parent 07e4476
@vrana authored
View
2  adminer/edit.inc.php
@@ -43,7 +43,7 @@
($update ? lang('Edit') : lang('Insert')),
$error,
array("select" => array($TABLE, $table_name)),
- $table_name
+ $table_name //! two calls of h()
);
$row = null;
View
4 adminer/include/adminer.inc.php
@@ -80,7 +80,7 @@ function login($login, $password) {
/** Table caption used in navigation and headings
* @param array result of SHOW TABLE STATUS
- * @return string
+ * @return string HTML code, "" to ignore table
*/
function tableName($tableStatus) {
return h($tableStatus["Name"]);
@@ -89,7 +89,7 @@ function tableName($tableStatus) {
/** Field caption used in select and edit
* @param array single field returned from fields()
* @param int order of column in select
- * @return string
+ * @return string HTML code, "" to ignore field
*/
function fieldName($field, $order = 0) {
return '<span title="' . h($field["full_type"]) . '">' . h($field["field"]) . '</span>';
View
2  adminer/include/functions.inc.php
@@ -757,7 +757,7 @@ function search_tables() {
echo "<ul>\n";
$found = true;
}
- echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>" . h($name) . "</a>\n";
+ echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>$name</a>\n";
}
}
}
View
2  editor/db.inc.php
@@ -13,7 +13,7 @@
$name = $adminer->tableName($row);
if (isset($row["Engine"]) && $name != "") {
echo '<tr' . odd() . '><td>' . checkbox("tables[]", $table, in_array($table, (array) $_POST["tables"], true), "", "formUncheck('check-all');");
- echo '<th><a href="' . h(ME) . 'select=' . urlencode($table) . '">' . h($name) . '</a>';
+ echo "<th><a href='" . h(ME) . 'select=' . urlencode($table) . "'>$name</a>";
$val = number_format($row["Rows"], 0, '.', lang(','));
echo "<td align='right'><a href='" . h(ME . "edit=") . urlencode($table) . "'>" . ($row["Engine"] == "InnoDB" && $val ? "~ $val" : $val) . "</a>";
}
Please sign in to comment.
Something went wrong with that request. Please try again.