From ff541af95d7155d8dd326f331b5e248fea8e7111 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Mon, 28 Oct 2019 22:09:44 +0100 Subject: [PATCH] Security patch for Designer and Designer visual mode Closes: phpmyadmin-security#286 Ref: CVE-2019-18622 Ref: PMASA-2019-5 Signed-off-by: William Desportes --- js/designer/move.js | 2 +- templates/database/designer/database_tables.twig | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/js/designer/move.js b/js/designer/move.js index 48f1a4fe27a..0f8fabfcaad 100644 --- a/js/designer/move.js +++ b/js/designer/move.js @@ -576,7 +576,7 @@ function addTableToTablesList (index, table_dom) { ' />' + ' ' + ' ' + db + '.' + table + '' + + ' designer_url_table_name="' + db_encoded + '.' + table_encoded + '">' + $('
').text(db + '.' + table).html() + '' + ''); $('#id_scroll_tab table').first().append($new_table_line); $($new_table_line).find('.scroll_tab_struct').click(function () { diff --git a/templates/database/designer/database_tables.twig b/templates/database/designer/database_tables.twig index 1ca1ebe0174..9b77d6eb349 100644 --- a/templates/database/designer/database_tables.twig +++ b/templates/database/designer/database_tables.twig @@ -50,7 +50,7 @@ table_name="{{ t_n_url }}" query_set="{{ has_query ? 1 : 0 }}"> {{ designerTable.getDatabaseName() }} - {{ designerTable.getTableName()|raw }} + {{ designerTable.getTableName() }} {% if has_query %} {% if has_query %} " + {# Escaped 2 times to be able to use it in innerHtml #} + option_col_name_modal="{{ 'Add an option for column "%s".'|trans|format(col_name)|escape('html')|escape('html') }}" db_name="{{ db }}" table_name="{{ table_name }}" col_name="{{ col_name }}"