bug #4562 [security] XSS in debug SQL output

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
phpmyadmin · Oct 21, 2014 · f989e2a · f989e2a
1 parent ed89810
commit f989e2a
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.1.14.6 (not yet released)
+- bug #4562 [security] XSS in debug SQL output
+
 4.1.14.5 (2014-10-01)
 - bug #4544 [security] XSS vulnerabilities in table search and table structure pages
 

diff --git a/libraries/DatabaseInterface.class.php b/libraries/DatabaseInterface.class.php
@@ -103,10 +103,11 @@ private function _dbgQuery($query, $link, $result, $time)
             $_SESSION['debug']['queries'][$hash] = array();
             if ($result == false) {
                 $_SESSION['debug']['queries'][$hash]['error']
-                    = '<b style="color:red">' . mysqli_error($link) . '</b>';
+                    = '<b style="color:red">'
+                        . htmlspecialchars(mysqli_error($link)) . '</b>';
             }
             $_SESSION['debug']['queries'][$hash]['count'] = 1;
-            $_SESSION['debug']['queries'][$hash]['query'] = $query;
+            $_SESSION['debug']['queries'][$hash]['query'] = htmlspecialchars($query);
             $_SESSION['debug']['queries'][$hash]['time'] = $time;
         }