Fix XSS in login form (bug #436)

adminer/include/auth.inc.php

@@ -114,8 +114,13 @@ function unset_permanent() {
 	cookie("adminer_permanent", implode(" ", $permanent));
 }
 
+/** Renders an error message and a login form
+* @param string plain text
+* @return null exits
+*/
 function auth_error($error) {
 	global $adminer, $has_token;
+	$error = h($error);
 	$session_name = session_name();
 	if (isset($_GET["username"])) {
 		header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header

changes.txt

@@ -1,4 +1,5 @@
 Adminer 4.2.0-dev:
+Fix XSS in login form (bug #436)
 Allow limiting number of displayed rows in SQL command
 Fix reading routine column collations
 Unlock session in alter database