Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng c4150221@gmail.com wrote:
Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
Hi, Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702...
-- Edward Cheng
On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal < chirayu.chiripal@gmail.com> wrote:
On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng c4150221@gmail.com wrote:
Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
Hi, Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702...
I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
-- Edward Cheng
-- Regards, Chirayu Chiripal phpMyAdmin Intern - Google Summer of Code 2014 https://chirayuchiripal.wordpress.com/
Hi
Dne Wed, 2 Jul 2014 12:35:15 +0530 Chirayu Chiripal chirayu.chiripal@gmail.com napsal(a):
I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
I think it makes no sense to espace HTML when saving to database, this should be done at display time whenever displaying data which user can control (eg. table/database name, bookmark, SQL query, ...).
-
Chirayu Chiripal -
Edward Cheng -
Michal Čihař