[Phpmyadmin-devel] XSS safe checks

Hi,
From this comment: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
-- Edward Cheng

On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <c4150221@gmail.com> wrote:
Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
Hi, Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702...
-- Edward Cheng
-- Regards, Chirayu Chiripal phpMyAdmin Intern - Google Summer of Code 2014 https://chirayuchiripal.wordpress.com/

On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal < chirayu.chiripal@gmail.com> wrote:
On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <c4150221@gmail.com> wrote:
Hi,
From this comment:
https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702... I find I save a bookmark which label named "<script>alert("XSS");</script>", it runs while I click SQL tab. Is it safe enough? Should we add htmlspecialchars() to INSERT query included functions(e.g. PMA_Bookmark_save)?
Hi, Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702...
I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
-- Edward Cheng
-- Regards, Chirayu Chiripal phpMyAdmin Intern - Google Summer of Code 2014 https://chirayuchiripal.wordpress.com/

Hi Dne Wed, 2 Jul 2014 12:35:15 +0530 Chirayu Chiripal <chirayu.chiripal@gmail.com> napsal(a):
I cannot reproduce this on master before your patch. So, it seems PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
I think it makes no sense to espace HTML when saving to database, this should be done at display time whenever displaying data which user can control (eg. table/database name, bookmark, SQL query, ...). -- Michal Čihař | http://cihar.com | http://blog.cihar.com
participants (3)
-
Chirayu Chiripal
-
Edward Cheng
-
Michal Čihař