[Phpmyadmin-devel] Grid editing and escaping

Marc Delisle marc at infomarc.info
Fri Aug 19 20:55:59 CEST 2011 

Aris Feryanto a écrit :
> On 19 Agu 2011, at 20:37, Marc Delisle <marc at infomarc.info> wrote:
> 
>> Michal Čihař a écrit :
>>> Hi
>>> 
>>> Dne Fri, 19 Aug 2011 08:20:45 -0400 Marc Delisle
>>> <marc at infomarc.info> napsal(a):
>>> 
>>>> Michal Čihař a écrit :
>>>>> Hi
>>>>> 
>>>>> Dne Fri, 19 Aug 2011 08:00:31 -0400 Marc Delisle
>>>>> <marc at infomarc.info> napsal(a):
>>>>> 
>>>>>> Aris Feryanto a écrit :
>>>>>>> On 19 Agu 2011, at 15:36, Aris Feryanto
>>>>>>> <aris_feryanto at yahoo.com> wrote:
>>>>>>> 
>>>>>>>> Hi Michal,
>>>>>>>> 
>>>>>>>>> From: Michal Čihař <michal at cihar.com>
>>>>>>>>> 
>>>>>>>>> Hi
>>>>>>>>> 
>>>>>>>>> it looks like grid editing does not properly handle
>>>>>>>>> escaping HTML entities. Just try importing
>>>>>>>>> test/test_data/exploit_test.sql and edit any row in
>>>>>>>>> exploit_test.evil_content.
>>>>>>>>> 
>>>>>>>> Thank you for pointing this out. I fixed this in my
>>>>>>>> git.
>>>>>> Ok but I believe I've seen a recent commit by Michal that
>>>>>> fixed this kind of problem in a quicker way; it was about
>>>>>> using .html(x) instead of .text(x) or the reverse :)
>>>>>> 
>>>>>> Michal, can you enlighten us?
>>>>> It was on security list for inline editing :-).
>>>> It was not a commit?
>>> No, because I was totally unsure about it. Herman has reviewed
>>> itand pushed it to MAINT_3_4_4-security about hour ago.
>> Right, I should buy more RAM for my brain.
>> 
>> Aris, could you make some tests to see if this technique could
>> replace your new escaping function PMA_htmlEncode()?
>> 
>> Instead of $somejQueryObject.html(new_html);
>> 
>> use $somejQueryObject.text(new_html);
>> 
> 
> 
> Right, Marc. When I was fixing this bug, I decided to use above
> technique to handle the HTML escaping. I just forgot to push my
> commits that removed the PMA_htmlEncode function. But, since .text()
> cannot handle new line reliably [0], the new lines in grid edited
> cells may disappear for some browsers. I googled to find a solution
> for this, but cannot find the best cross-browser solution.
> 
> [0] http://api.jquery.com/text/  : (Due to variations in the HTML
> parsers in different browsers, the text returned may vary in newlines
> and other white space.)

Aris,
thanks for the good analysis. I have pushed your code to origin/master. 
Let's continue to look for a solution to the newlines issue.

-- 
Marc Delisle
http://infomarc.info

More information about the Developers mailing list