Aris Feryanto a écrit :
On 19 Agu 2011, at 20:37, Marc Delisle marc@infomarc.info wrote:
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle marc@infomarc.info napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit : > On 19 Agu 2011, at 15:36, Aris Feryanto > aris_feryanto@yahoo.com wrote: > >> Hi Michal, >> >>> From: Michal Čihař michal@cihar.com >>> >>> Hi >>> >>> it looks like grid editing does not properly handle >>> escaping HTML entities. Just try importing >>> test/test_data/exploit_test.sql and edit any row in >>> exploit_test.evil_content. >>> >> Thank you for pointing this out. I fixed this in my >> git. Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain.
Aris, could you make some tests to see if this technique could replace your new escaping function PMA_htmlEncode()?
Instead of $somejQueryObject.html(new_html);
use $somejQueryObject.text(new_html);
Right, Marc. When I was fixing this bug, I decided to use above technique to handle the HTML escaping. I just forgot to push my commits that removed the PMA_htmlEncode function. But, since .text() cannot handle new line reliably [0], the new lines in grid edited cells may disappear for some browsers. I googled to find a solution for this, but cannot find the best cross-browser solution.
[0] http://api.jquery.com/text/ : (Due to variations in the HTML parsers in different browsers, the text returned may vary in newlines and other white space.)
Aris, thanks for the good analysis. I have pushed your code to origin/master. Let's continue to look for a solution to the newlines issue.