[Phpmyadmin-devel] htmlspecialchars in PMA_Error
Michal Čihař
michal at cihar.com
Fri Mar 30 10:23:27 CEST 2012
Hi
Dne Thu, 29 Mar 2012 22:17:42 +0200
"J.M." <me at mynetx.net> napsal(a):
> The htmlspecialchars escaping of error messages in PMA_Error,
> introduced in https://github.com/phpmyadmin/phpmyadmin/commit/656809ac3bdc8ba61b84657b8789dde8c0cb8a2e,
> causes problems with error messages containing links. See this photo
> for reference: http://cl.ly/FQ0H, read main.php, lines 293 and 329.
>
> Do we prefer using trigger_error() or the direct PMA_Message::display variant?
Generally anything what comes as an error from PHP needs to be escaped,
so there are two options:
- pass our error messages to trigger_error as some object (let's call
it SafeString for now) and if error handler sees SafeString, it won't
do any processing of that
- do not use trigger_error for anything what includes markup
I'd prefer first solution (actually marking strings as safe to output
is generally useful thing to prevent XSS).
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20120330/06b19b90/attachment.sig>
More information about the Developers
mailing list