Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
> From: Michal Čihař <michal@cihar.com> > > Hi > > it looks like grid editing does not properly handle escaping HTML > entities. Just try importing test/test_data/exploit_test.sql and > edit any row in exploit_test.evil_content. > Thank you for pointing this out. I fixed this in my git. Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us? It was on security list for inline editing :-). It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain. Aris, could you make some tests to see if this technique could replace your new escaping function PMA_htmlEncode()? Instead of $somejQueryObject.html(new_html); use $somejQueryObject.text(new_html); -- Marc Delisle http://infomarc.info