[Phpmyadmin-devel] Grid editing and escaping

Michal Čihař michal at cihar.com
Fri Aug 19 14:23:53 CEST 2011


Hi

Dne Fri, 19 Aug 2011 08:20:45 -0400
Marc Delisle <marc at infomarc.info> napsal(a):

> Michal Čihař a écrit :
> > Hi
> > 
> > Dne Fri, 19 Aug 2011 08:00:31 -0400
> > Marc Delisle <marc at infomarc.info> napsal(a):
> > 
> >> Aris Feryanto a écrit :
> >>> On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto at yahoo.com>
> >>> wrote:
> >>>
> >>>> Hi Michal,
> >>>>
> >>>>> From: Michal Čihař <michal at cihar.com>
> >>>>>
> >>>>> Hi
> >>>>>
> >>>>> it looks like grid editing does not properly handle escaping HTML
> >>>>>  entities. Just try importing test/test_data/exploit_test.sql and
> >>>>> edit any row in exploit_test.evil_content.
> >>>>>
> >>>> Thank you for pointing this out. I fixed this in my git.
> >> Ok but I believe I've seen a recent commit by Michal that fixed this 
> >> kind of problem in a quicker way; it was about using .html(x) instead of 
> >> .text(x) or the reverse :)
> >>
> >> Michal, can you enlighten us?
> > 
> > It was on security list for inline editing :-).
> 
> It was not a commit?

No, because I was totally unsure about it. Herman has reviewed itand
pushed it to MAINT_3_4_4-security about hour ago.

-- 
	Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110819/30cef0ae/attachment.sig>


More information about the Developers mailing list