Fix XSS in login form (bug #436)

2025-08-09 16:17:48 +02:00 · 2015-02-07 10:40:51 -08:00
parent 411d198d0d
commit c990de3b3e
2 changed files with 6 additions and 0 deletions
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -114,8 +114,13 @@ function unset_permanent() {
 	cookie("adminer_permanent", implode(" ", $permanent));
 }

+/** Renders an error message and a login form
+* @param string plain text
+* @return null exits
+*/
 function auth_error($error) {
 	global $adminer, $has_token;
+	$error = h($error);
 	$session_name = session_name();
 	if (isset($_GET["username"])) {
 		header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.2.0-dev:
+Fix XSS in login form (bug #436)
 Allow limiting number of displayed rows in SQL command
 Fix reading routine column collations
 Unlock session in alter database