]> andersk Git - sql-web.git/blobdiff - tpl/main.php
andersk / sql-web.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix XSS vulnerabilities
[sql-web.git] / tpl / main.php
diff --git a/tpl/main.php b/tpl/main.php
index aa02cefc31649ad9af3bb123c088a7c243a2b7e6..89b0432de92fe5ce0030d1d053130558d8e0ac60 100644 (file)
--- a/tpl/main.php
+++ b/tpl/main.php
@@ -6,7 +6,7 @@ if (isset($i_dropask)) {
        $dropdbs = array_keys($i_dropask);
        echo '<form method="post" action="', $URI,'">';
        foreach($dropdbs as $dbname) {
-               $msg1[] = 'Are you sure you want to drop `'.$dbname.'`? <input style="position:absolute; right:20px;" type="submit" name="drop['.$dbname.']" value="Yes">';
+               $msg1[] = 'Are you sure you want to drop `'.htmlentities($dbname).'`? <input style="position:absolute; right:20px;" type="submit" name="drop['.htmlentities($dbname).']" value="Yes">';
        }
        echo '</form>';
 }
@@ -35,7 +35,7 @@ if (isset($i_dropask)) {
                else $percentage = 0;
                echo printBar($percentage, $db['Name'], str_replace(' ', '&nbsp;', sprintSize($db['nBytes'])));
                echo '</td><td>';
-               echo '<input type="submit" name="dropask[',$db['Name'],']" value="drop">';
+               echo '<input type="submit" name="dropask[',htmlentities($db['Name']),']" value="drop">';
                echo '</td></tr>';
        }
        if ($total>0) {
Unnamed repository; edit this file 'description' to name the repository.
This page took 0.025237 seconds and 4 git commands to generate.