The branch, MAINT_3_4_5 has been updated via bda213c58aec44925be661acb0e76c19483ea170 (commit) from 2f28ce9c800274190418da0945ce3647d36e1db6 (commit) - Log ----------------------------------------------------------------- commit bda213c58aec44925be661acb0e76c19483ea170 Author: Marc Delisle &lt;marc(a)infomarc.info&gt; Date: Thu Sep 8 15:38:40 2011 -0400 Escape HTML in js-generated confirmation messages ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 ++- js/functions.js | 15 +++++++++++++-- js/tbl_structure.js | 4 ++-- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1376169..326c8c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ phpMyAdmin - ChangeLog - [export] Remove native Excel export modules (xls and xlsx formats) - [import] Remove native Excel import modules (xls and xlsx formats) - bug #3392920 [edit] BLOB emptied after editing another column +- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14 +- [security] Fixed XSS with db/table/column names, see PMASA-2011-14 3.4.4.0 (2011-08-24) - bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes @@ -31,7 +33,6 @@ phpMyAdmin - ChangeLog - bug #3374347 [display] Backquotes in normal text on import page - bug #3358750 [core] With Suhosin, urls are too long in edit links - [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13 -- [security] Fixed XSS in Inline Edit on save action 3.4.3.2 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 diff --git a/js/functions.js b/js/functions.js index 75fd677..b076661 100644 --- a/js/functions.js +++ b/js/functions.js @@ -172,7 +172,7 @@ function selectContent( element, lock, only_once ) { } /** - * Displays a confirmation box before to submit a "DROP/DELETE/ALTER" query. + * Displays a confirmation box before submitting a "DROP/DELETE/ALTER" query. * This function is called while clicking links * * @param object the link @@ -1657,7 +1657,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + window.parent.db; + var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + escapeHtml(window.parent.db); $(this).PMA_confirm(question, $(this).attr('href') ,function(url) { @@ -2287,3 +2287,14 @@ $(document).ready(function() { }) // end of $(document).ready() +/** + * HTML escaping + */ +function escapeHtml(unsafe) { + return unsafe + .replace(/&/g, "&amp;") + .replace(/</g, "&lt;") + .replace(/>/g, "&gt;") + .replace(/"/g, "&quot;") + .replace(/'/g, "&#039;"); +} diff --git a/js/tbl_structure.js b/js/tbl_structure.js index 352848c..493f0eb 100644 --- a/js/tbl_structure.js +++ b/js/tbl_structure.js @@ -44,7 +44,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` DROP `' + curr_column_name + '`'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) + '`'; $(this).PMA_confirm(question, $(this).attr('href'), function(url) { @@ -83,7 +83,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name + '`)'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' + escapeHtml(curr_column_name) + '`)'; $(this).PMA_confirm(question, $(this).attr('href'), function(url) { hooks/post-receive -- phpMyAdmin