You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently on deactivating "htmlSpecialChars" the html code is always escaped.
In the fix #850 was the function parameter $htmlspecialchars check removed before execute htmlspecialchars() on variable.
Environment
ADOdb version: 5.22.5
Driver or Module: mysqli
Database type and version: MariaDB 10.6
PHP version: 8.1
Platform: debian
I have tested that the problem is reproducible in the latest release
Steps to reproduce
$sql = 'Select "this<br>is<br>html<br>code" as htmlCode';
$pager = new AdoDbPager($conn, $sql);
$pager->htmlSpecialChars = false;
$pager->Render();
Expected behavior
Add $htmlspecialchars check befor use htmlspecialchars() on variable.
The text was updated successfully, but these errors were encountered:
AdoDbPager, I guess you actually meant ADODB_Pager ? Or is that a custom class of yours ?
I don't know if you just used the Pager for demonstrating the problem, but if not I would strongly advise against setting $pager->htmlSpecialChars = false; unless you have full confidence about the underlying data, as this leaves you vulnerable to cross-site-scripting (XSS) attacks. Try it:
$sql = "select 'XSS <script>alert(\"p4wned\")</script>' as htmlCode";
Description
Currently on deactivating "htmlSpecialChars" the html code is always escaped.
In the fix #850 was the function parameter $htmlspecialchars check removed before execute htmlspecialchars() on variable.
Environment
Steps to reproduce
Expected behavior
Add $htmlspecialchars check befor use htmlspecialchars() on variable.
The text was updated successfully, but these errors were encountered: