diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | js/tbl_gis_visualization.js | 2 | ||||
-rw-r--r-- | libraries/rte/rte_triggers.lib.php | 12 |
3 files changed, 13 insertions, 4 deletions
@@ -61,6 +61,9 @@ VerboseMultiSubmit, ReplaceHelpImg - bug #3540922 [edit] Error searching table with many fields - bug #3555104 [edit] Cannot copy a DB with table & views +3.5.2.2 (2012-08-12) +- [security] Fixed XSS vulnerabilities, see PMASA-2012-4 + 3.5.2.1 (2012-08-03) - [security] Fixed local path disclosure vulnerability, see PMASA-2012-3 diff --git a/js/tbl_gis_visualization.js b/js/tbl_gis_visualization.js index 6ddc14d5ee..6fae5aa148 100644 --- a/js/tbl_gis_visualization.js +++ b/js/tbl_gis_visualization.js @@ -298,7 +298,7 @@ $(function() { */ $('.polygon, .multipolygon, .point, .multipoint, .linestring, .multilinestring, ' + '.geometrycollection').live('mousemove', function(event) { - contents = $.trim($(this).attr('name')); + contents = $.trim(escapeHtml($(this).attr('name'))); $("#tooltip").remove(); if (contents != '') { $('<div id="tooltip">' + contents + '</div>').css({ diff --git a/libraries/rte/rte_triggers.lib.php b/libraries/rte/rte_triggers.lib.php index c47554a673..29290a67f8 100644 --- a/libraries/rte/rte_triggers.lib.php +++ b/libraries/rte/rte_triggers.lib.php @@ -100,8 +100,12 @@ function PMA_TRI_handleEditor() // 'Add a new item' mode $result = PMA_DBI_try_query($item_query); if (! $result) { - $errors[] = sprintf(__('The following query has failed: "%s"'), $item_query) . '<br /><br />' - . __('MySQL said: ') . PMA_DBI_getError(null); + $errors[] = sprintf( + __('The following query has failed: "%s"'), + htmlspecialchars($item_query) + ) + . '<br /><br />' + . __('MySQL said: ') . PMA_DBI_getError(null); } else { $message = PMA_Message::success(__('Trigger %1$s has been created.')); $message->addParam(PMA_CommonFunctions::getInstance()->backquote($_REQUEST['item_name'])); @@ -325,7 +329,9 @@ function PMA_TRI_getEditorForm($mode, $item) } else if ($mode == 'edit' && $value == $item['item_table']) { $selected = " selected='selected'"; } - $retval .= " <option$selected>$value</option>\n"; + $retval .= "<option$selected>"; + $retval .= htmlspecialchars($value); + $retval .= "</option>\n"; } $retval .= " </select>\n"; $retval .= " </td>\n"; |