Avoid double escaping

2011-03-24 02:19:21 +01:00 · 2011-03-24 02:19:21 +01:00 · 5ee14079b8
parent 07e4476e78
commit 5ee14079b8
4 changed files with 5 additions and 5 deletions
--- a/adminer/edit.inc.php
+++ b/adminer/edit.inc.php
@ -43,7 +43,7 @@ page_header(
 	($update ? lang('Edit') : lang('Insert')),
 	$error,
 	array("select" => array($TABLE, $table_name)),
-	$table_name
+	$table_name //! two calls of h()
 );

 $row = null;
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@ -80,7 +80,7 @@ username.form['driver'].onchange();
 	
 	/** Table caption used in navigation and headings
 	* @param array result of SHOW TABLE STATUS
-	* @return string
+	* @return string HTML code, "" to ignore table
 	*/
 	function tableName($tableStatus) {
 		return h($tableStatus["Name"]);
@ -89,7 +89,7 @@ username.form['driver'].onchange();
 	/** Field caption used in select and edit
 	* @param array single field returned from fields()
 	* @param int order of column in select
-	* @return string
+	* @return string HTML code, "" to ignore field
 	*/
 	function fieldName($field, $order = 0) {
 		return '<span title="' . h($field["full_type"]) . '">' . h($field["field"]) . '</span>';
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@ -757,7 +757,7 @@ function search_tables() {
 					echo "<ul>\n";
 					$found = true;
 				}
-				echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>" . h($name) . "</a>\n";
+				echo "<li><a href='" . h(ME . "select=" . urlencode($table) . "&where[0][op]=" . urlencode($_GET["where"][0]["op"]) . "&where[0][val]=" . urlencode($_GET["where"][0]["val"])) . "'>$name</a>\n";
 			}
 		}
 	}
--- a/editor/db.inc.php
+++ b/editor/db.inc.php
@ -13,7 +13,7 @@ if ($adminer->homepage()) {
 		$name = $adminer->tableName($row);
 		if (isset($row["Engine"]) && $name != "") {
 			echo '<tr' . odd() . '><td>' . checkbox("tables[]", $table, in_array($table, (array) $_POST["tables"], true), "", "formUncheck('check-all');");
-			echo '<th><a href="' . h(ME) . 'select=' . urlencode($table) . '">' . h($name) . '</a>';
+			echo "<th><a href='" . h(ME) . 'select=' . urlencode($table) . "'>$name</a>";
 			$val = number_format($row["Rows"], 0, '.', lang(','));
 			echo "<td align='right'><a href='" . h(ME . "edit=") . urlencode($table) . "'>" . ($row["Engine"] == "InnoDB" && $val ? "~ $val" : $val) . "</a>";
 		}