[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1
Garvin Hicking
phpmyadmin at supergarv.de
Tue Nov 22 02:59:02 CET 2005
Hi!
> it is not for the end user or admin
But then such a file should not be included in the release, or at least renamed
to "test.php.txt" so that it can only be executed after being renamed?
> i just sticked it fast together and needed to check it in this morning to have
> it available here
Okay, it's just a thing that needs attention being paid to, because of the
ongoing XSS problems in PMA we should have as little code contributing to that
situation :)
> but what should be checked for XSS? variables used here should already be
> checked by common.lib.php
Yeah, that was what I didn't know about, since I sadly haven't found time to
look at recent PMA code recently. :(
> and $HTTP_HOST is not a place for XSS attacks
Why did Michal then fix this a day ago?
Regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list