Re: [Phpmyadmin-devel] Grid editing and escaping

On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
From: Michal Čihař <michal@cihar.com>
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
I also change the way of grid editing a bit. For normal text, the grid editing is shown without 'edit area' (bigger editing area under the edited cell) anymore. I think this is better than having two input field for one edited cell. -- Aris Feryanto

Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
From: Michal Čihař <michal@cihar.com>
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :) Michal, can you enlighten us?
I also change the way of grid editing a bit. For normal text, the grid editing is shown without 'edit area' (bigger editing area under the edited cell) anymore. I think this is better than having two input field for one edited cell.
Yes it's better. Will merge later; waiting to see if there is a better fix for the HTML entities escaping.
-- Aris Feryanto
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-- Marc Delisle http://infomarc.info

Hi Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
From: Michal Čihař <michal@cihar.com>
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-). -- Michal Čihař | http://cihar.com | http://phpmyadmin.cz

Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
From: Michal Čihař <michal@cihar.com>
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git. Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit? -- Marc Delisle http://infomarc.info

Hi Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
From: Michal Čihař <michal@cihar.com>
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git. Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago. -- Michal Čihař | http://cihar.com | http://phpmyadmin.cz

Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle <marc@infomarc.info> napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto@yahoo.com> wrote:
Hi Michal,
> From: Michal Čihař <michal@cihar.com> > > Hi > > it looks like grid editing does not properly handle escaping HTML > entities. Just try importing test/test_data/exploit_test.sql and > edit any row in exploit_test.evil_content. > Thank you for pointing this out. I fixed this in my git. Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us? It was on security list for inline editing :-). It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain. Aris, could you make some tests to see if this technique could replace your new escaping function PMA_htmlEncode()? Instead of $somejQueryObject.html(new_html); use $somejQueryObject.text(new_html); -- Marc Delisle http://infomarc.info
participants (3)
-
Aris Feryanto
-
Marc Delisle
-
Michal Čihař