[Phpmyadmin-devel] Grid editing and escaping
Michal Čihař
michal at cihar.com
Fri Aug 19 14:14:10 CEST 2011
Hi
Dne Fri, 19 Aug 2011 08:00:31 -0400
Marc Delisle <marc at infomarc.info> napsal(a):
> Aris Feryanto a écrit :
> > On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto at yahoo.com>
> > wrote:
> >
> >> Hi Michal,
> >>
> >>> From: Michal Čihař <michal at cihar.com>
> >>>
> >>> Hi
> >>>
> >>> it looks like grid editing does not properly handle escaping HTML
> >>> entities. Just try importing test/test_data/exploit_test.sql and
> >>> edit any row in exploit_test.evil_content.
> >>>
> >> Thank you for pointing this out. I fixed this in my git.
>
> Ok but I believe I've seen a recent commit by Michal that fixed this
> kind of problem in a quicker way; it was about using .html(x) instead of
> .text(x) or the reverse :)
>
> Michal, can you enlighten us?
It was on security list for inline editing :-).
--
Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110819/efabeb6d/attachment.sig>
More information about the Developers
mailing list