Hi
Dne Thu, 29 Mar 2012 22:17:42 +0200 "J.M." me@mynetx.net napsal(a):
The htmlspecialchars escaping of error messages in PMA_Error, introduced in https://github.com/phpmyadmin/phpmyadmin/commit/656809ac3bdc8ba61b84657b8789..., causes problems with error messages containing links. See this photo for reference: http://cl.ly/FQ0H, read main.php, lines 293 and 329.
Do we prefer using trigger_error() or the direct PMA_Message::display variant?
Generally anything what comes as an error from PHP needs to be escaped, so there are two options:
- pass our error messages to trigger_error as some object (let's call it SafeString for now) and if error handler sees SafeString, it won't do any processing of that
- do not use trigger_error for anything what includes markup
I'd prefer first solution (actually marking strings as safe to output is generally useful thing to prevent XSS).