[Phpmyadmin-devel] Grid editing and escaping
Marc Delisle
marc at infomarc.info
Fri Aug 19 14:37:15 CEST 2011
Michal Čihař a écrit :
> Hi
>
> Dne Fri, 19 Aug 2011 08:20:45 -0400
> Marc Delisle <marc at infomarc.info> napsal(a):
>
>> Michal Čihař a écrit :
>>> Hi
>>>
>>> Dne Fri, 19 Aug 2011 08:00:31 -0400
>>> Marc Delisle <marc at infomarc.info> napsal(a):
>>>
>>>> Aris Feryanto a écrit :
>>>>> On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto at yahoo.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Michal,
>>>>>>
>>>>>>> From: Michal Čihař <michal at cihar.com>
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> it looks like grid editing does not properly handle escaping HTML
>>>>>>> entities. Just try importing test/test_data/exploit_test.sql and
>>>>>>> edit any row in exploit_test.evil_content.
>>>>>>>
>>>>>> Thank you for pointing this out. I fixed this in my git.
>>>> Ok but I believe I've seen a recent commit by Michal that fixed this
>>>> kind of problem in a quicker way; it was about using .html(x) instead of
>>>> .text(x) or the reverse :)
>>>>
>>>> Michal, can you enlighten us?
>>> It was on security list for inline editing :-).
>> It was not a commit?
>
> No, because I was totally unsure about it. Herman has reviewed itand
> pushed it to MAINT_3_4_4-security about hour ago.
Right, I should buy more RAM for my brain.
Aris, could you make some tests to see if this technique could replace
your new escaping function PMA_htmlEncode()?
Instead of
$somejQueryObject.html(new_html);
use
$somejQueryObject.text(new_html);
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list