[security] properly escape name of newly created table, see PMASA-2012-4

ruleant · ruleant · commit e094f34bed5e · 2012-08-12T13:52:46.000+02:00
diff --git a/tbl_create.php b/tbl_create.php
@@ -287,7 +287,9 @@
             $new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n";
 
             $new_table_string .= '<th>';
-            $new_table_string .= '<a href="sql.php' . PMA_generate_common_url($tbl_url_params) . '">'. $table . '</a>';
+            $new_table_string .= '<a href="sql.php'
+                . PMA_generate_common_url($tbl_url_params) . '">'
+                . htmlspecialchars($table) . '</a>';
 
             if (PMA_Tracker::isActive()) {
                 $truename = str_replace(' ', '&nbsp;', htmlspecialchars($table));
