[Phpmyadmin-devel] XSS safe checks

Chirayu Chiripal chirayu.chiripal at gmail.com
Wed Jul 2 09:05:15 CEST 2014


On Wed, Jul 2, 2014 at 12:29 PM, Chirayu Chiripal <
chirayu.chiripal at gmail.com> wrote:

>
>
>
> On Wed, Jul 2, 2014 at 11:56 AM, Edward Cheng <c4150221 at gmail.com> wrote:
>
>> Hi,
>> >From this comment:
>>
>> https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861877
>> I find I save a bookmark which label named
>> "<script>alert("XSS");</script>", it runs while I click SQL tab.
>> Is it safe enough? Should we add htmlspecialchars() to INSERT query
>> included functions(e.g. PMA_Bookmark_save)?
>>
>
> Hi,
> Please have a look at here also: https://github.com/phpmyadmin/phpmyadmin/commit/fb14e92d62a1d9990bfd4d779702688e873ce60f#commitcomment-6861899
>
>

I cannot reproduce this on master before your patch. So, it seems
PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.


>
>> --
>> Edward Cheng
>>
>>
> --
> Regards,
> Chirayu Chiripal
> phpMyAdmin Intern - Google Summer of Code 2014
> https://chirayuchiripal.wordpress.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20140702/334d33bc/attachment.html>


More information about the Developers mailing list