[Phpmyadmin-devel] Grid editing and escaping

Aris Feryanto aris_feryanto at yahoo.com
Fri Aug 19 18:43:23 CEST 2011 

On 19 Agu 2011, at 20:37, Marc Delisle <marc at infomarc.info> wrote:

> Michal Čihař a écrit :
>> Hi
>> 
>> Dne Fri, 19 Aug 2011 08:20:45 -0400
>> Marc Delisle <marc at infomarc.info> napsal(a):
>> 
>>> Michal Čihař a écrit :
>>>> Hi
>>>> 
>>>> Dne Fri, 19 Aug 2011 08:00:31 -0400
>>>> Marc Delisle <marc at infomarc.info> napsal(a):
>>>> 
>>>>> Aris Feryanto a écrit :
>>>>>> On 19 Agu 2011, at 15:36, Aris Feryanto <aris_feryanto at yahoo.com>
>>>>>> wrote:
>>>>>> 
>>>>>>> Hi Michal,
>>>>>>> 
>>>>>>>> From: Michal Čihař <michal at cihar.com>
>>>>>>>> 
>>>>>>>> Hi
>>>>>>>> 
>>>>>>>> it looks like grid editing does not properly handle escaping HTML
>>>>>>>> entities. Just try importing test/test_data/exploit_test.sql and
>>>>>>>> edit any row in exploit_test.evil_content.
>>>>>>>> 
>>>>>>> Thank you for pointing this out. I fixed this in my git.
>>>>> Ok but I believe I've seen a recent commit by Michal that fixed this 
>>>>> kind of problem in a quicker way; it was about using .html(x) instead of 
>>>>> .text(x) or the reverse :)
>>>>> 
>>>>> Michal, can you enlighten us?
>>>> It was on security list for inline editing :-).
>>> It was not a commit?
>> 
>> No, because I was totally unsure about it. Herman has reviewed itand
>> pushed it to MAINT_3_4_4-security about hour ago.
> 
> Right, I should buy more RAM for my brain.
> 
> Aris, could you make some tests to see if this technique could replace 
> your new escaping function PMA_htmlEncode()?
> 
> Instead of
> $somejQueryObject.html(new_html);
> 
> use
> $somejQueryObject.text(new_html);
> 


Right, Marc. When I was fixing this bug, I decided to use above technique to handle the HTML escaping. I just forgot to push my commits that removed the PMA_htmlEncode function. But, since .text() cannot handle new line reliably [0], the new lines in grid edited cells may disappear for some browsers. I googled to find a solution for this, but cannot find the best cross-browser solution.

[0] http://api.jquery.com/text/  : (Due to variations in the HTML parsers in different browsers, the text returned may vary in newlines and other white space.)


--
Aris Feryanto

More information about the Developers mailing list