Garvin Hicking wrote:
Hi Sebastian!
I'm not up to date on recent code, but are these:
$lang_iso_code = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
// start output header('Content-Type: text/html; charset=' . $GLOBALS['charset']); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang_iso_code; ?>" lang="<?php echo $lang_iso_code; ?>" dir="<?php echo $GLOBALS['text_dir']; ?>"> <head> <title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?> - Theme Test</title>
Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST variable to be wrapped within htmlspecialchars() -- and does the 'charset' variable now get escaped for being passed to header()? I thought we would rather use a PMA_header() function or so?
no its not checked its just for (theme) developers to have a single page to check there themes
it is not for the end user or admin
i just sticked it fast together and needed to check it in this morning to have it available here
but what should be checked for XSS? variables used here should already be checked by common.lib.php
and $HTTP_HOST is not a place for XSS attacks