[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1
Sebastian Mendel
lists at sebastianmendel.de
Tue Nov 22 03:25:01 CET 2005
Garvin Hicking wrote:
> Hi!
>
>> it is not for the end user or admin
>
> But then such a file should not be included in the release, or at least renamed
> to "test.php.txt" so that it can only be executed after being renamed?
why? the lang scripts are not renamed too from .sh to .sh.txt ...
and don't make it too hard for theme developers - probably they are not
techies
>> i just sticked it fast together and needed to check it in this morning to have
>> it available here
>
> Okay, it's just a thing that needs attention being paid to, because of the
> ongoing XSS problems in PMA we should have as little code contributing to that
> situation :)
>
>> but what should be checked for XSS? variables used here should already be
>> checked by common.lib.php
>
> Yeah, that was what I didn't know about, since I sadly haven't found time to
> look at recent PMA code recently. :(
>
>> and $HTTP_HOST is not a place for XSS attacks
>
> Why did Michal then fix this a day ago?
i don't know, i mean it is not wrong to escape this value, but it is not
really necessary, you can not reach the host you want if you add XSS
code to the host in the http header ... IMHO!
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list