bug #4562 [security] XSS in debug SQL output

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
phpmyadmin · Oct 21, 2014 · bd68c54 · bd68c54
1 parent 319aac3
commit bd68c54
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.2.10.1 (not yet released)
+- bug #4562 [security] XSS in debug SQL output
+
 4.2.10.0 (2014-10-11)
 - bug #4361 Can't change font size (when config.inc.php not present)
 - bug #4542 Tab key in column name not shown

diff --git a/libraries/DatabaseInterface.class.php b/libraries/DatabaseInterface.class.php
@@ -139,10 +139,11 @@ private function _dbgQuery($query, $link, $result, $time)
             $_SESSION['debug']['queries'][$hash] = array();
             if ($result == false) {
                 $_SESSION['debug']['queries'][$hash]['error']
-                    = '<b style="color:red">' . mysqli_error($link) . '</b>';
+                    = '<b style="color:red">'
+                        . htmlspecialchars(mysqli_error($link)) . '</b>';
             }
             $_SESSION['debug']['queries'][$hash]['count'] = 1;
-            $_SESSION['debug']['queries'][$hash]['query'] = $query;
+            $_SESSION['debug']['queries'][$hash]['query'] = htmlspecialchars($query);
             $_SESSION['debug']['queries'][$hash]['time'] = $time;
         }