[Phpmyadmin-devel] XSS safe checks
chirayu.chiripal at gmail.com
Wed Jul 2 09:05:15 CEST 2014
On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:
> On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <c4150221 at gmail.com> wrote:
>> >From this comment:
>> I find I save a bookmark which label named
>> "<script>alert("XSS");</script>", it runs while I click SQL tab.
>> Is it safe enough? Should we add htmlspecialchars() to INSERT query
>> included functions(e.g. PMA_Bookmark_save)?
> Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861899
I cannot reproduce this on master before your patch. So, it seems
PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.
>> Edward Cheng
> Chirayu Chiripal
> phpMyAdmin Intern - Google Summer of Code 2014
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Developers