[Phpmyadmin-devel] XHTML compliance patch, PLS TEST!
Garvin Hicking
phpmyadmin at supergarv.de
Tue Oct 4 02:44:25 CEST 2005
Hi!
>> +foreach( $_GET as $key => $val ) {
>> + if ( ! in_array( $key, $drops ) ) {
>> + $url_querys[] = $key . '=' . $val;
>> + }
>>
>>
>> allows for XSS attacks to index.php which outputs remote input HTML/JS code.
>
> uuh, sorry fixed this with
>
> $url_querys[] = urlencode( $key ) . '=' . urlencode( $val );
Okay, I think this should be safe enough (tm) ;)
>> Added to that, it seems your patch kills the $cfg['LeftFrameTableSeparator']
>> functionality of nested table groups in non-light mode. It seems you removed
>> all the PMA_nestedSet() functionality without proper replacement of its
>> content?
>
> did you tried? or took you just a look at the code?
I applied the codes, yes. I looked at my main table which contains 266 tables
with many "_" separators, which don'T work anymore. But then I looked at a
second database with only 4 tables, they were grouped properly - so I think
there must just be a bug left in the generation code?
I set theSeparator to "_" and have this list of tables:
access
accesslog
aggregator_category
aggregator_category_feed
aggregator_category_item
aggregator_feed
aggregator_item
authmap
be_groups
be_sessions
be_users
blocks
book
boxes
cache
cache_hash
cache_imagesizes
cache_md5params
cache_pages
cache_pagesection
cache_typo3temp_log
comments
contact
directory
fe_groups
fe_session_data
fe_sessions
fe_users
files
filter_formats
filters
flood
forum
fud26_action_log
fud26_ann_forums
fud26_announce
fud26_attach
fud26_avatar
fud26_blocked_logins
fud26_buddy
fud26_cat
fud26_custom_tags
fud26_email_block
fud26_ext_block
fud26_fc_view
fud26_fl_1
fud26_fl_pm
fud26_forum
fud26_forum_notify
fud26_forum_read
fud26_group_cache
fud26_group_members
fud26_group_resources
fud26_groups
fud26_index
fud26_ip_block
fud26_level
fud26_mime
fud26_mlist
fud26_mod
fud26_mod_que
fud26_msg
fud26_msg_report
fud26_nntp
fud26_pmsg
fud26_poll
fud26_poll_opt
fud26_poll_opt_track
fud26_read
fud26_replace
fud26_search
fud26_search_cache
fud26_ses
fud26_smiley
fud26_stats_cache
fud26_themes
fud26_thr_exchange
fud26_thread
fud26_thread_notify
fud26_thread_rate_track
fud26_title_index
fud26_tv_1
fud26_user_ignore
fud26_users
history
locales_meta
locales_source
locales_target
menu
moderation_filters
moderation_roles
moderation_votes
node
node_access
node_comment_statistics
node_counter
node_revisions
pages
pages_language_overlay
permission
poll
poll_choices
profile_fields
profile_values
role
search_index
search_total
sequences
serendipity_GROUPS_authorgroups
serendipity_GROUPS_authors
serendipity_GROUPS_category
serendipity_GROUPS_comments
serendipity_GROUPS_config
serendipity_GROUPS_entries
serendipity_GROUPS_entrycat
serendipity_GROUPS_entryproperties
serendipity_GROUPS_exits
serendipity_GROUPS_groupconfig
serendipity_GROUPS_groups
serendipity_GROUPS_images
serendipity_GROUPS_permalinks
serendipity_GROUPS_plugins
serendipity_GROUPS_references
serendipity_GROUPS_referrers
serendipity_GROUPS_suppress
serendipity_MERGE_aggregator_feeds
serendipity_MERGE_authors
serendipity_MERGE_category
serendipity_MERGE_comments
serendipity_MERGE_config
serendipity_MERGE_entries
serendipity_MERGE_entrycat
serendipity_MERGE_entryproperties
serendipity_MERGE_entrytags
serendipity_MERGE_exits
serendipity_MERGE_images
serendipity_MERGE_karma
serendipity_MERGE_karmalog
serendipity_MERGE_plugins
serendipity_MERGE_references
serendipity_MERGE_referrers
serendipity_MERGE_shoutbox
serendipity_MERGE_spamblocklog
serendipity_MERGE_suppress
serendipity_NOUTF8access
serendipity_NOUTF8authorgroups
serendipity_NOUTF8authors
serendipity_NOUTF8category
serendipity_NOUTF8comments
serendipity_NOUTF8config
serendipity_NOUTF8entries
serendipity_NOUTF8entrycat
serendipity_NOUTF8entryproperties
serendipity_NOUTF8exits
serendipity_NOUTF8groupconfig
serendipity_NOUTF8groups
serendipity_NOUTF8images
serendipity_NOUTF8permalinks
serendipity_NOUTF8plugincategories
serendipity_NOUTF8pluginlist
serendipity_NOUTF8plugins
serendipity_NOUTF8references
serendipity_NOUTF8referrers
serendipity_NOUTF8suppress
serendipity_SVN_access
serendipity_SVN_aggregator_feedcat
serendipity_SVN_aggregator_feeds
serendipity_SVN_aggregator_md5
serendipity_SVN_authorgroups
serendipity_SVN_authors
serendipity_SVN_category
serendipity_SVN_categorytemplates
serendipity_SVN_comments
serendipity_SVN_config
serendipity_SVN_entries
serendipity_SVN_entrycat
serendipity_SVN_entryproperties
serendipity_SVN_entrytags
serendipity_SVN_exits
serendipity_SVN_groupconfig
serendipity_SVN_groups
serendipity_SVN_guestbook
serendipity_SVN_images
serendipity_SVN_karma
serendipity_SVN_karmalog
serendipity_SVN_link_category
serendipity_SVN_links
serendipity_SVN_mycalendar
serendipity_SVN_pending_authors
serendipity_SVN_percentagedone
serendipity_SVN_permalinks
serendipity_SVN_plugincategories
serendipity_SVN_pluginlist
serendipity_SVN_plugins
serendipity_SVN_polls
serendipity_SVN_polls_options
serendipity_SVN_profiles
serendipity_SVN_project_category
serendipity_SVN_project_colors
serendipity_SVN_references
serendipity_SVN_referrers
serendipity_SVN_spamblocklog
serendipity_SVN_staticblocks
serendipity_SVN_staticpages
serendipity_SVN_suppress
serendipity_UTF8_access
serendipity_UTF8_authorgroups
serendipity_UTF8_authors
serendipity_UTF8_category
serendipity_UTF8_comments
serendipity_UTF8_config
serendipity_UTF8_entries
serendipity_UTF8_entrycat
serendipity_UTF8_entryproperties
serendipity_UTF8_exits
serendipity_UTF8_groupconfig
serendipity_UTF8_groups
serendipity_UTF8_images
serendipity_UTF8_permalinks
serendipity_UTF8_plugincategories
serendipity_UTF8_pluginlist
serendipity_UTF8_plugins
serendipity_UTF8_references
serendipity_UTF8_referrers
serendipity_UTF8_suppress
serendipity_authors
serendipity_category
serendipity_comments
serendipity_config
serendipity_entries
serendipity_entrycat
serendipity_entryproperties
serendipity_exits
serendipity_images
serendipity_plugins
serendipity_references
serendipity_referrers
serendipity_suppress
sessions
static_template
static_tsconfig_help
sys_be_shortcuts
sys_domain
sys_filemounts
sys_history
sys_language
sys_lockedrecords
sys_log
sys_note
sys_notepad
sys_template
system
term_data
term_hierarchy
term_node
term_relation
term_synonym
tt_content
tx_impexp_presets
url_alias
users
users_roles
variable
vocabulary
vocabulary_node_types
watchdog
So I would expect to get at least groups "serendipity" and "sys" for example,
but instead they show up in a singular flat listing...?!
My $cfg['LeftFrameTableLevel'] is set to "2".
If you can't reproduce that I could give you a full SQL dump of my tablesa and
send you my config files?
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list