Garvin Hicking wrote:
Hi!
it is not for the end user or admin
But then such a file should not be included in the release, or at least renamed to "test.php.txt" so that it can only be executed after being renamed?
why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make it too hard for theme developers - probably they are not techies
i just sticked it fast together and needed to check it in this morning to have it available here
Okay, it's just a thing that needs attention being paid to, because of the ongoing XSS problems in PMA we should have as little code contributing to that situation :)
but what should be checked for XSS? variables used here should already be checked by common.lib.php
Yeah, that was what I didn't know about, since I sadly haven't found time to look at recent PMA code recently. :(
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
i don't know, i mean it is not wrong to escape this value, but it is not really necessary, you can not reach the host you want if you add XSS code to the host in the http header ... IMHO!