Fix XSS in indexes (non-MySQL only)

author Jakub Vrana <jakub@vrana.cz>

Sun, 8 Nov 2015 19:41:44 +0000 (11:41 -0800)

committer Jakub Vrana <jakub@vrana.cz>

Sun, 8 Nov 2015 20:12:16 +0000 (12:12 -0800)
author Jakub Vrana <jakub@vrana.cz>
Sun, 8 Nov 2015 19:41:44 +0000 (11:41 -0800)
committer Jakub Vrana <jakub@vrana.cz>
Sun, 8 Nov 2015 20:12:16 +0000 (12:12 -0800)
diff --git a/adminer/indexes.inc.php b/adminer/indexes.inc.php

index 793c61c06349fbaecade1a7e506315be7c509520..821d0ffb9b983af69d544fec44dd1f4dccea1645 100644 (file)
--- a/adminer/indexes.inc.php
+++ b/adminer/indexes.inc.php
@@ -117,7 +117,7 @@ foreach ($row["indexes"] as $index) {
                 $i = 1;
                 foreach ($index["columns"] as $key => $column) {
                         echo "<span>" . select_input(
-                               " name='indexes[$j][columns][$i]' onchange=\"" . ($i == count($index["columns"]) ? "indexesAddColumn" : "indexesChangeColumn") . "(this, '" . js_escape($jush == "sql" ? "" : $_GET["indexes"] . "_") . "');\"",
+                               " name='indexes[$j][columns][$i]' onchange=\"" . ($i == count($index["columns"]) ? "indexesAddColumn" : "indexesChangeColumn") . "(this, '" . h(js_escape($jush == "sql" ? "" : $_GET["indexes"] . "_")) . "');\"",
                                 ($fields ? array_combine($fields, $fields) : $fields),
                                 $column
                         );
diff --git a/changes.txt b/changes.txt

index 8637467c45836237a0e19cad6797cdb2458898f8..f86fb4d7311c2986bbe9f7b55eae6ad804b2967c 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
  Adminer 4.2.3-dev:
+Fix XSS in indexes (non-MySQL only)
  Support PHP 7
  Greek translation
  Galician translation
author	Jakub Vrana <jakub@vrana.cz>
	Sun, 8 Nov 2015 19:41:44 +0000 (11:41 -0800)
committer	Jakub Vrana <jakub@vrana.cz>
	Sun, 8 Nov 2015 20:12:16 +0000 (12:12 -0800)
adminer/indexes.inc.php		patch \| blob \| history
changes.txt		patch \| blob \| history