[Phpmyadmin-devel] Grid editing and escaping

Marc Delisle marc at infomarc.info
Fri Aug 19 14:37:15 CEST 2011


Michal Čihař a écrit :
> Hi
> 
> Dne Fri, 19 Aug 2011 08:20:45 -0400
> Marc Delisle <marc at infomarc.info> napsal(a):
> 
>> Michal Čihař a écrit :
>>> Hi
>>>
>>> Dne Fri, 19 Aug 2011 08:00:31 -0400
>>> Marc Delisle <marc at infomarc.info> napsal(a):
>>>
>>>> Aris Feryanto a écrit :
>>>>> On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto at yahoo.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Michal,
>>>>>>
>>>>>>> From: Michal Čihař <michal at cihar.com>
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> it looks like grid editing does not properly handle escaping HTML
>>>>>>>  entities. Just try importing test/test_data/exploit_test.sql and
>>>>>>> edit any row in exploit_test.evil_content.
>>>>>>>
>>>>>> Thank you for pointing this out. I fixed this in my git.
>>>> Ok but I believe I've seen a recent commit by Michal that fixed this 
>>>> kind of problem in a quicker way; it was about using .html(x) instead of 
>>>> .text(x) or the reverse :)
>>>>
>>>> Michal, can you enlighten us?
>>> It was on security list for inline editing :-).
>> It was not a commit?
> 
> No, because I was totally unsure about it. Herman has reviewed itand
> pushed it to MAINT_3_4_4-security about hour ago.

Right, I should buy more RAM for my brain.

Aris, could you make some tests to see if this technique could replace 
your new escaping function PMA_htmlEncode()?

Instead of
$somejQueryObject.html(new_html);

use
$somejQueryObject.text(new_html);

-- 
Marc Delisle
http://infomarc.info




More information about the Developers mailing list