Avoid double escaping

diff --git a/adminer/edit.inc.php b/adminer/edit.inc.php
index c195cd7b6a01e03b28858feddae471c86efc5904..eb4f1beb74ad3d8f371b286b57157a3d007e7738 100644 (file)
--- a/adminer/edit.inc.php
+++ b/adminer/edit.inc.php
@@ -43,7 +43,7 @@ page_header(
        ($update ? lang('Edit') : lang('Insert')),
        $error,
        array("select" => array($TABLE, $table_name)),
-       $table_name
+       $table_name //! two calls of h()
 );
 
 $row = null;

diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php
index f303b02de944df4c114c69324e02075eca1ce546..b8d8653044f0648d89db99b94c9ee42fe8fd5c65 100644 (file)
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -80,7 +80,7 @@ username.form['driver'].onchange();
        
        /** Table caption used in navigation and headings
        * @param array result of SHOW TABLE STATUS
-       * @return string
+       * @return string HTML code, "" to ignore table
        */
        function tableName($tableStatus) {
                return h($tableStatus["Name"]);
@@ -89,7 +89,7 @@ username.form['driver'].onchange();
        /** Field caption used in select and edit
        * @param array single field returned from fields()
        * @param int order of column in select
-       * @return string
+       * @return string HTML code, "" to ignore field
        */
        function fieldName($field, $order = 0) {
                return '<span title="' . h($field["full_type"]) . '">' . h($field["field"]) . '</span>';

diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index d571bbc458ce7e2b6bec48701fb3f823cfa62fc7..8e71ef0675f7764b7d46341d3f98fa745ef83ca3 100644 (file)
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -757,7 +757,7 @@ function search_tables() {
                                        echo "<ul>\n";
                                        $found = true;
                                }
-                               echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>" . h($name) . "</a>\n";
+                               echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>$name</a>\n";
                        }
                }
        }

diff --git a/editor/db.inc.php b/editor/db.inc.php
index 6bf1d2f6ef8b8850cf5181163bde1a6e1f9fe7d2..9c8e7f66a70da4fa4668d2506a5474d3be2d50cb 100644 (file)
--- a/editor/db.inc.php
+++ b/editor/db.inc.php
@@ -13,7 +13,7 @@ if ($adminer->homepage()) {
                $name = $adminer->tableName($row);
                if (isset($row["Engine"]) && $name != "") {
                        echo '<tr' . odd() . '><td>' . checkbox("tables[]", $table, in_array($table, (array) $_POST["tables"], true), "", "formUncheck('check-all');");
-                       echo '<th><a href="' . h(ME) . 'select=' . urlencode($table) . '">' . h($name) . '</a>';
+                       echo "<th><a href='" . h(ME) . 'select=' . urlencode($table) . "'>$name</a>";
                        $val = number_format($row["Rows"], 0, '.', lang(','));
                        echo "<td align='right'><a href='" . h(ME . "edit=") . urlencode($table) . "'>" . ($row["Engine"] == "InnoDB" && $val ? "~ $val" : $val) . "</a>";
                }