On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal < chirayu.chiripal@gmail.com> wrote:
On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng c4150221@gmail.com wrote:
Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
Hi, Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702...
I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
-- Edward Cheng
-- Regards, Chirayu Chiripal phpMyAdmin Intern - Google Summer of Code 2014 https://chirayuchiripal.wordpress.com/