[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Garvin Hicking phpmyadmin at supergarv.de
Tue Nov 22 02:59:02 CET 2005


> it is not for the end user or admin

But then such a file should not be included in the release, or at least renamed
to "test.php.txt" so that it can only be executed after being renamed?

> i just sticked it fast together and needed to check it in this morning to have
> it available here

Okay, it's just a thing that needs attention being paid to, because of the
ongoing XSS problems in PMA we should have as little code contributing to that
situation :)

> but what should be checked for XSS? variables used here should already be
> checked by common.lib.php

Yeah, that was what I didn't know about, since I sadly haven't found time to
look at recent PMA code recently. :(

> and $HTTP_HOST is not a place for XSS attacks

Why did Michal then fix this a day ago?


++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list