From 4043092ec2c0de2258d60a99d0c5958637d051a7 Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Fri, 14 May 2021 06:39:01 +0200
Subject: [PATCH] Escape link in doc_link (bug #797)

---
 adminer/include/editing.inc.php | 2 +-
 changes.txt                     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/adminer/include/editing.inc.php b/adminer/include/editing.inc.php
index 88d66d44..5556b014 100644
--- a/adminer/include/editing.inc.php
+++ b/adminer/include/editing.inc.php
@@ -542,7 +542,7 @@ function doc_link($paths, $text = "<sup>?</sup>") {
 		$urls['sql'] = "https://mariadb.com/kb/en/library/";
 		$paths['sql'] = (isset($paths['mariadb']) ? $paths['mariadb'] : str_replace(".html", "/", $paths['sql']));
 	}
-	return ($paths[$jush] ? "<a href='$urls[$jush]$paths[$jush]'" . target_blank() . ">$text</a>" : "");
+	return ($paths[$jush] ? "<a href='" . h($urls[$jush] . $paths[$jush]) . "'" . target_blank() . ">$text</a>" : "");
 }
 
 /** Wrap gzencode() for usage in ob_start()
diff --git a/changes.txt b/changes.txt
index 9622f194..a9e45a5c 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.8.1-dev:
+Internet Explorer or PDO in Adminer 4.7.8-4.8.0: Fix XSS in doc_link (bug #797)
 Fix more PHP 8 warnings (bug #781)
 Avoid PHP warnings with PDO drivers (bug #786, regression from 4.7.8)
 MySQL: Allow moving views to other DB and renaming DB with views (bug #783)