[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Sebastian Mendel lists at sebastianmendel.de
Tue Nov 22 01:46:01 CET 2005

Garvin Hicking wrote:
> Hi Sebastian!
> I'm not up to date on recent code, but are these:
>> $lang_iso_code = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
>> // start output
>> header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
>> ?>
>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"
>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
>> <html xmlns="http://www.w3.org/1999/xhtml"
>> xml:lang="<?php echo $lang_iso_code; ?>"
>> lang="<?php echo $lang_iso_code; ?>" dir="<?php echo $GLOBALS['text_dir']; ?>">
>> <head>
>> <title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?> - Theme
>> Test</title>
> Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST
> variable to be wrapped within htmlspecialchars() -- and does the 'charset'
> variable now get escaped for being passed to header()? I thought we would rather
> use a PMA_header() function or so?

no its not checked
its just for (theme) developers to have a single page to check there themes

it is not for the end user or admin

i just sticked it fast together and needed to check it in this morning 
to have it available here

but what should be checked for XSS? variables used here should already 
be checked by common.lib.php

and $HTTP_HOST is not a place for XSS attacks

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list