bug #4562 [security] XSS in debug SQL output

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
phpmyadmin · Oct 17, 2014 · 57594fe · 57594fe
1 parent 5118938
commit 57594fe
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.0.10.5 (not yet released)
+- bug #4562 [security] XSS in debug SQL output
+
 4.0.10.4 (2014-10-01)
 - bug #4544 [security] XSS vulnerabilities in table search and table structure pages
 

diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php
@@ -139,11 +139,11 @@ function PMA_DBI_DBG_query($query, $link, $result, $time)
     } else {
         $_SESSION['debug']['queries'][$hash] = array();
         if ($result == false) {
-            $_SESSION['debug']['queries'][$hash]['error']
-                = '<b style="color:red">' . mysqli_error($link) . '</b>';
+            $_SESSION['debug']['queries'][$hash]['error'] = '<b style="color:red">'
+                . htmlspecialchars(mysqli_error($link)) . '</b>';
         }
         $_SESSION['debug']['queries'][$hash]['count'] = 1;
-        $_SESSION['debug']['queries'][$hash]['query'] = $query;
+        $_SESSION['debug']['queries'][$hash]['query'] = htmlspecialchars($query);
         $_SESSION['debug']['queries'][$hash]['time'] = $time;
     }