Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle marc@infomarc.info napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
> From: Michal Čihař michal@cihar.com > > Hi > > it looks like grid editing does not properly handle escaping HTML > entities. Just try importing test/test_data/exploit_test.sql and > edit any row in exploit_test.evil_content. > Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain.
Aris, could you make some tests to see if this technique could replace your new escaping function PMA_htmlEncode()?
Instead of $somejQueryObject.html(new_html);
use $somejQueryObject.text(new_html);