diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php index 85c501c0..383f1e51 100644 --- a/adminer/include/design.inc.php +++ b/adminer/include/design.inc.php @@ -38,7 +38,7 @@ var areYouSure = ''; - onkeydown="bodyKeydown(event);" onload="bodyLoad('server_info, 0, 3) : ""); ?>');"> + onkeydown="bodyKeydown(event);" onload="bodyLoad('server_info, 0, 3) : ""); ?>');"> diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php index d6a6ffc9..89b393dd 100644 --- a/adminer/include/functions.inc.php +++ b/adminer/include/functions.inc.php @@ -130,7 +130,7 @@ function optionlist($options, $selected = null, $use_keys = false) { */ function html_select($name, $options, $value = "", $onchange = true) { if ($onchange) { - return ""; + return ""; } $return = ""; foreach ($options as $key => $val) { @@ -676,7 +676,7 @@ function input($field, $value, $function) { } $first++; } - $onchange = ($first ? " onchange=\"var f = this.form['function[" . js_escape($name) . "]']; if ($first > f.selectedIndex) f.selectedIndex = $first;\"" : ""); + $onchange = ($first ? " onchange=\"var f = this.form['function[" . h(js_escape($name)) . "]']; if ($first > f.selectedIndex) f.selectedIndex = $first;\"" : ""); $attrs .= $onchange; echo (count($functions) > 1 ? html_select("function[$name]", $functions, !isset($function) || in_array($function, $functions) || isset($functions[$function]) ? $function : "", "functionChange(this);") : nbsp(reset($functions))) . ''; $input = $adminer->editInput($_GET["edit"], $field, $attrs, $value); // usage in call is without a table diff --git a/adminer/trigger.inc.php b/adminer/trigger.inc.php index 1ac3930f..d072c263 100644 --- a/adminer/trigger.inc.php +++ b/adminer/trigger.inc.php @@ -30,7 +30,7 @@ if ($_POST) {
-
+
diff --git a/changes.txt b/changes.txt index 32129d15..b268553b 100644 --- a/changes.txt +++ b/changes.txt @@ -1,4 +1,5 @@ Adminer 3.3.1-dev: +Fix XSS introduced in Adminer 3.2.0 Fix altering default values (PostgreSQL) Process list (PostgreSQL)