On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal <chirayu.chiripal@gmail.com> wrote:

On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <c4150221@gmail.com> wrote:

Hi,
>From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861877
I find I save a bookmark which label named
"<script>alert("XSS");</script>", it runs while I click SQL tab.
Is it safe enough? Should we add htmlspecialchars() to INSERT query
included functions(e.g. PMA_Bookmark_save)?

Hi,
Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861899

I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.

--
Edward Cheng

--
Regards,
Chirayu Chiripal
phpMyAdmin Intern - Google Summer of Code 2014
https://chirayuchiripal.wordpress.com/