From 5c395afc098e501be3417017c6421968aac477bd Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Sat, 6 Feb 2021 19:04:15 +0100
Subject: [PATCH] Fix XSS in browsers which don't encode URL parameters (bug
 #775)

---
 adminer/sql.inc.php | 2 +-
 changes.txt         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/adminer/sql.inc.php b/adminer/sql.inc.php
index 69ba1779..0192959a 100644
--- a/adminer/sql.inc.php
+++ b/adminer/sql.inc.php
@@ -222,7 +222,7 @@ if (!isset($_GET["import"])) {
 	}
 	echo "<p>";
 	textarea("query", $q, 20);
-	echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . remove_from_uri("sql|limit|error_stops|only_errors") . "');");
+	echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . js_escape(remove_from_uri("sql|limit|error_stops|only_errors|history")) . "');");
 	echo "<p>$execute\n";
 	echo lang('Limit rows') . ": <input type='number' name='limit' class='size' value='" . h($_POST ? $_POST["limit"] : $_GET["limit"]) . "'>\n";
 	
diff --git a/changes.txt b/changes.txt
index 5a9b0207..2757183c 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.7.9-dev:
+Fix XSS in browsers which don't encode URL parameters (bug #775, regression from 4.7.0)
 Elasticsearch, ClickHouse: Do not print response if HTTP code is not 200
 Don't syntax highlight during IME composition (bug #747)
 MySQL: Do not export names in quotes with sql_mode='ANSI_QUOTES' (bug #749)