
<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal <span dir="ltr"><<a href="mailto:chirayu.chiripal@gmail.com" target="_blank">chirayu.chiripal@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <span dir="ltr"><<a href="mailto:c4150221@gmail.com" target="_blank">c4150221@gmail.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>

>From this comment:<br>

<a href="https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861877" target="_blank">https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861877</a><br>


I find I save a bookmark which label named<br>

"<script>alert("XSS");</script>", it runs while I click SQL tab.<br>

Is it safe enough? Should we add htmlspecialchars() to INSERT query<br>

included functions(e.g. PMA_Bookmark_save)?<br></blockquote><div><br></div></div><div>Hi,<br></div><div>Please have a look at here also: <a href="https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861899" target="_blank">https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861899 </a><br>

</div></div></div></div></blockquote><div><br></div><div>I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><span class="HOEnZb"><font color="#888888">

</font></span></div><span class="HOEnZb"><font color="#888888"><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<br>

--<br>

Edward Cheng<br>

<br>

</blockquote></font></span></div><span class="HOEnZb"><font color="#888888"><br>-- <br><div dir="ltr">Regards,<br>Chirayu Chiripal<br>phpMyAdmin Intern - Google Summer of Code 2014<br><a href="https://chirayuchiripal.wordpress.com/" target="_blank">https://chirayuchiripal.wordpress.com/</a><br>


</div>

</font></span></div></div>

</blockquote></div><br></div></div>