On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
From: Michal Čihař michal@cihar.com
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
I also change the way of grid editing a bit. For normal text, the grid editing is shown without 'edit area' (bigger editing area under the edited cell) anymore. I think this is better than having two input field for one edited cell.
-- Aris Feryanto
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
From: Michal Čihař michal@cihar.com
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
I also change the way of grid editing a bit. For normal text, the grid editing is shown without 'edit area' (bigger editing area under the edited cell) anymore. I think this is better than having two input field for one edited cell.
Yes it's better. Will merge later; waiting to see if there is a better fix for the HTML entities escaping.
-- Aris Feryanto
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
From: Michal Čihař michal@cihar.com
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
From: Michal Čihař michal@cihar.com
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle marc@infomarc.info napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
From: Michal Čihař michal@cihar.com
Hi
it looks like grid editing does not properly handle escaping HTML entities. Just try importing test/test_data/exploit_test.sql and edit any row in exploit_test.evil_content.
Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle marc@infomarc.info napsal(a):
Michal Čihař a écrit :
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle marc@infomarc.info napsal(a):
Aris Feryanto a écrit :
On 19 Agu 2011, at 15:36, Aris Feryanto aris_feryanto@yahoo.com wrote:
Hi Michal,
> From: Michal Čihař michal@cihar.com > > Hi > > it looks like grid editing does not properly handle escaping HTML > entities. Just try importing test/test_data/exploit_test.sql and > edit any row in exploit_test.evil_content. > Thank you for pointing this out. I fixed this in my git.
Ok but I believe I've seen a recent commit by Michal that fixed this kind of problem in a quicker way; it was about using .html(x) instead of .text(x) or the reverse :)
Michal, can you enlighten us?
It was on security list for inline editing :-).
It was not a commit?
No, because I was totally unsure about it. Herman has reviewed itand pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain.
Aris, could you make some tests to see if this technique could replace your new escaping function PMA_htmlEncode()?
Instead of $somejQueryObject.html(new_html);
use $somejQueryObject.text(new_html);
-
Aris Feryanto -
Marc Delisle -
Michal Čihař