Fix XSS in browsers which don't encode URL parameters (bug #775)

2025-08-12 17:44:07 +02:00 · 2021-02-06 19:04:15 +01:00
parent cde988853d
commit 5c395afc09
2 changed files with 2 additions and 1 deletions
--- a/adminer/sql.inc.php
+++ b/adminer/sql.inc.php
@@ -222,7 +222,7 @@ if (!isset($_GET["import"])) {
 	}
 	echo "<p>";
 	textarea("query", $q, 20);
-	echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . remove_from_uri("sql|limit|error_stops|only_errors") . "');");
+	echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . js_escape(remove_from_uri("sql|limit|error_stops|only_errors|history")) . "');");
 	echo "<p>$execute\n";
 	echo lang('Limit rows') . ": <input type='number' name='limit' class='size' value='" . h($_POST ? $_POST["limit"] : $_GET["limit"]) . "'>\n";