Hi Sebastian!
I'm not up to date on recent code, but are these:
$lang_iso_code = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
// start output header('Content-Type: text/html; charset=' . $GLOBALS['charset']); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang_iso_code; ?>" lang="<?php echo $lang_iso_code; ?>" dir="<?php echo $GLOBALS['text_dir']; ?>"> <head> <title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?> - Theme Test</title>
Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST variable to be wrapped within htmlspecialchars() -- and does the 'charset' variable now get escaped for being passed to header()? I thought we would rather use a PMA_header() function or so?
Best regards, Garvin
Garvin Hicking wrote:
Hi Sebastian!
I'm not up to date on recent code, but are these:
$lang_iso_code = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
// start output header('Content-Type: text/html; charset=' . $GLOBALS['charset']); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang_iso_code; ?>" lang="<?php echo $lang_iso_code; ?>" dir="<?php echo $GLOBALS['text_dir']; ?>"> <head> <title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?> - Theme Test</title>
Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST variable to be wrapped within htmlspecialchars() -- and does the 'charset' variable now get escaped for being passed to header()? I thought we would rather use a PMA_header() function or so?
no its not checked its just for (theme) developers to have a single page to check there themes
it is not for the end user or admin
i just sticked it fast together and needed to check it in this morning to have it available here
but what should be checked for XSS? variables used here should already be checked by common.lib.php
and $HTTP_HOST is not a place for XSS attacks
Hi!
it is not for the end user or admin
But then such a file should not be included in the release, or at least renamed to "test.php.txt" so that it can only be executed after being renamed?
i just sticked it fast together and needed to check it in this morning to have it available here
Okay, it's just a thing that needs attention being paid to, because of the ongoing XSS problems in PMA we should have as little code contributing to that situation :)
but what should be checked for XSS? variables used here should already be checked by common.lib.php
Yeah, that was what I didn't know about, since I sadly haven't found time to look at recent PMA code recently. :(
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
Regards, Garvin
Garvin Hicking wrote:
Hi!
it is not for the end user or admin
But then such a file should not be included in the release, or at least renamed to "test.php.txt" so that it can only be executed after being renamed?
why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make it too hard for theme developers - probably they are not techies
i just sticked it fast together and needed to check it in this morning to have it available here
Okay, it's just a thing that needs attention being paid to, because of the ongoing XSS problems in PMA we should have as little code contributing to that situation :)
but what should be checked for XSS? variables used here should already be checked by common.lib.php
Yeah, that was what I didn't know about, since I sadly haven't found time to look at recent PMA code recently. :(
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
i don't know, i mean it is not wrong to escape this value, but it is not really necessary, you can not reach the host you want if you add XSS code to the host in the http header ... IMHO!
On Tue 22. 11. 2005 11:58, Garvin Hicking wrote:
and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
Because you could insert any javascript using index.php?HTTP_HOST="><script>some evil code</script>
Hi
On Tue 22. 11. 2005 10:16, Garvin Hicking wrote:
Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST variable to be wrapped within htmlspecialchars() -- and does the 'charset' variable now get escaped for being passed to header()? I thought we would rather use a PMA_header() function or so?
AFAIK charset is set by language file. If not we've XSS attacks also in normal code and not only in this one...
-
Garvin Hicking -
Michal Čihař -
Sebastian Mendel