[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1
Sebastian Mendel
lists at sebastianmendel.de
Tue Nov 22 01:46:01 CET 2005
Garvin Hicking wrote:
> Hi Sebastian!
>
> I'm not up to date on recent code, but are these:
>
>> $lang_iso_code = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
>>
>> // start output
>> header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
>> ?>
>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"
>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
>> <html xmlns="http://www.w3.org/1999/xhtml"
>> xml:lang="<?php echo $lang_iso_code; ?>"
>> lang="<?php echo $lang_iso_code; ?>" dir="<?php echo $GLOBALS['text_dir']; ?>">
>> <head>
>> <title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?> - Theme
>> Test</title>
>
> Checked against XSS attacks? At least I saw Michals commit about the $HTTP_HOST
> variable to be wrapped within htmlspecialchars() -- and does the 'charset'
> variable now get escaped for being passed to header()? I thought we would rather
> use a PMA_header() function or so?
no its not checked
its just for (theme) developers to have a single page to check there themes
it is not for the end user or admin
i just sticked it fast together and needed to check it in this morning
to have it available here
but what should be checked for XSS? variables used here should already
be checked by common.lib.php
and $HTTP_HOST is not a place for XSS attacks
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list