Fix XSS in indexes (non-MySQL only)

2025-08-25 15:31:15 +02:00 · 2015-11-08 11:41:44 -08:00
parent 6c6bb45d3d
commit 4be0b6655e
2 changed files with 2 additions and 1 deletions
--- a/adminer/indexes.inc.php
+++ b/adminer/indexes.inc.php
@@ -117,7 +117,7 @@ foreach ($row["indexes"] as $index) {
 		$i = 1;
 		foreach ($index["columns"] as $key => $column) {
 			echo "<span>" . select_input(
-				" name='indexes[$j][columns][$i]' onchange=\"" . ($i == count($index["columns"]) ? "indexesAddColumn" : "indexesChangeColumn") . "(this, '" . js_escape($jush == "sql" ? "" : $_GET["indexes"] . "_") . "');\"",
+				" name='indexes[$j][columns][$i]' onchange=\"" . ($i == count($index["columns"]) ? "indexesAddColumn" : "indexesChangeColumn") . "(this, '" . h(js_escape($jush == "sql" ? "" : $_GET["indexes"] . "_")) . "');\"",
 				($fields ? array_combine($fields, $fields) : $fields),
 				$column
 			);
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.2.3-dev:
 Fix XSS in indexes (non-MySQL only)
 Support PHP 7
 Greek translation
 Galician translation