[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Michal Čihař michal at cihar.com
Tue Nov 22 12:29:04 CET 2005


On Tue 22. 11. 2005 11:58, Garvin Hicking wrote:
> > and $HTTP_HOST is not a place for XSS attacks
>
> Why did Michal then fix this a day ago?

Because you could insert any javascript using 
index.php?HTTP_HOST="><script>some evil code</script>

-- 
    Michal Čihař | http://cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20051122/5b5860e6/attachment.sig>


More information about the Developers mailing list