[Phpmyadmin-devel] XSS safe checks

Michal Čihař michal at cihar.com
Wed Jul 2 10:36:55 CEST 2014


Hi

Dne Wed, 2 Jul 2014 12:35:15 +0530
Chirayu Chiripal <chirayu.chiripal at gmail.com> napsal(a):

> I cannot reproduce this on master before your patch. So, it seems
> PMA_Bookmark_save is safe enough and htmlspecialchars is not required there.

I think it makes no sense to espace HTML when saving to database, this
should be done at display time whenever displaying data which user can
control (eg. table/database name, bookmark, SQL query, ...).

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20140702/07d403e5/attachment.sig>


More information about the Developers mailing list