[Phpmyadmin-git] [SCM] phpMyAdmin branch, MAINT_3_4_0, updated. RELEASE_3_4_0ALPHA1-521-g3f12de1

The branch, MAINT_3_4_0 has been updated via 3f12de1746a25fe8f34d5892c21ae899356483be (commit) via 3f95ef5c20691037ec7c6dac06df3a8ded53523e (commit) from 86747ee08495700055ac4f7689c85a6d18cbf728 (commit) - Log ----------------------------------------------------------------- commit 3f12de1746a25fe8f34d5892c21ae899356483be Author: Marc Delisle <marc(a)infomarc.info> Date: Fri Nov 26 09:03:22 2010 -0500 ChangeLog for XSS fix commit 3f95ef5c20691037ec7c6dac06df3a8ded53523e Author: Herman van Rink <rink(a)initfour.nl> Date: Thu Nov 25 11:50:50 2010 +0100 bug #3115519: fixed XSS on search ----------------------------------------------------------------------- Summary of changes: ChangeLog | 6 +++--- libraries/common.lib.php | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6bff75..994b4fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -130,6 +130,9 @@ - patch #3117535 [replication] Add quotes to database in initial statement, thanks to Craig Duncan - duncan3dc +3.3.8.1 (2010-10-26) +- bug #3115519 (private) [security] XSS on db search + 3.3.8.0 (2010-10-25) - bug #3059311 [import] BIGINT field type added to table analysis - [core] Update library PHPExcel to version 1.7.4 @@ -143,9 +146,6 @@ 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after a page size increase, thanks to Martin Schönberger - mad05 -- bug #3054458 [core] Fixed displaying number of rows. -- bug #3035300 [parser] Fixed wrong definition of keywords. -- [setup] Fixed escaping of server name. 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name diff --git a/libraries/common.lib.php b/libraries/common.lib.php index ec5100f..4b194de 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -1769,7 +1769,7 @@ function PMA_linkOrButton($url, $message, $tag_params = array(), $tmp = $tag_params; $tag_params = array(); if (!empty($tmp)) { - $tag_params['onclick'] = 'return confirmLink(this, \'' . $tmp . '\')'; + $tag_params['onclick'] = 'return confirmLink(this, \'' . PMA_escapeJsString($tmp) . '\')'; } unset($tmp); } hooks/post-receive -- phpMyAdmin