From d75cf94f5ba218983e52bfba57cad118282417f0 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Sat, 21 Jun 2008 13:16:05 +0000
Subject: [PATCH] adjust table comments protection to the updated advisory (db
 print view and db data dictionary)

---
 ChangeLog        | 2 +-
 db_datadict.php  | 2 +-
 db_printview.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 09f6068094..373ef1abe4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,7 +24,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - [structure] do not remove the BINARY attribute in drop-down 
 - bug #1955386 [session] Overriding session.hash_bits_per_character 
 - [interface] sanitize the table comments in table print view, 
-  thanks to Norman Hippert
+  db print view and db data dictionary, thanks to Norman Hippert
 - bug #1939031 Auto_Increment selected for TimeStamp by Default
 - patch #1957998 [display] No tilde for InnoDB row counter when we know
   it for sure, thanks to Vladyslav Bakayev - dandy76 
diff --git a/db_datadict.php b/db_datadict.php
index 742f12141f..9d35f504e7 100644
--- a/db_datadict.php
+++ b/db_datadict.php
@@ -165,7 +165,7 @@ while ($row = PMA_DBI_fetch_assoc($rowset)) {
      * Displays the comments of the table if MySQL >= 3.23
      */
     if (!empty($show_comment)) {
-        echo $strTableComments . ': ' . $show_comment . '<br /><br />';
+        echo $strTableComments . ': ' . htmlspecialchars($show_comment) . '<br /><br />';
     }
 
     /**
diff --git a/db_printview.php b/db_printview.php
index ed9baac80c..9b53f0cb41 100644
--- a/db_printview.php
+++ b/db_printview.php
@@ -166,7 +166,7 @@ else {
     <td>
         <?php
         if (! empty($sts_data['Comment'])) {
-            echo $sts_data['Comment'];
+            echo htmlspecialchars($sts_data['Comment']);
             $needs_break = '<br />';
         } else {
             $needs_break = '';
-- 
2.11.4.GIT