Backported patch for phpMyAdmin 4.4.x; mysql.user and mysql.db show code instead of usernames. 

Further details:
 - https://github.com/phpmyadmin/phpmyadmin/issues/12483
 - https://github.com/phpmyadmin/phpmyadmin/issues/12341
 - https://github.com/phpmyadmin/phpmyadmin/issues/12479
 - https://github.com/phpmyadmin/phpmyadmin/commit/38cf23470728537bed4330a0e669fa636d157eab
 - https://github.com/phpmyadmin/phpmyadmin/commit/cbd6137c03a7cf0db7b361bf34656e4c046d863b
 - https://github.com/phpmyadmin/phpmyadmin/commit/48b6dd58d8d7efa30b5330108eb3fd38f5230e23
 - https://github.com/phpmyadmin/phpmyadmin/commit/72cc1f9f513cb7252e40e46ce74f5b8ce2449ffc
 - https://github.com/phpmyadmin/phpmyadmin/commit/265efb046fe50acb8ca277da533911414af177d3
 - https://github.com/phpmyadmin/phpmyadmin/commit/ed6188d2c89deb7d46df958b07de5cf0ca24f2f7

--- phpMyAdmin-4.4.15.10/js/config.js				2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/js/config.js				2018-05-16 14:53:23.000000000 +0200
@@ -7,7 +7,7 @@
  * Unbind all event handlers before tearing down a page
  */
 AJAX.registerTeardown('config.js', function () {
-    $('input[id], select[id], textarea[id]').unbind('change').unbind('keyup');
+    $('.optbox input[id], .optbox select[id], .optbox textarea[id]').unbind('change').unbind('keyup');
     $('input[type=button][name=submit_reset]').unbind('click');
     $('div.tabs_contents').undelegate();
     $('#import_local_storage, #export_local_storage').unbind('click');
@@ -444,7 +444,7 @@
     var $field = $(field);
     var errors = {};
     validate_field($field, isKeyUp, errors);
-    validate_fieldset($field.closest('fieldset'), isKeyUp, errors);
+    validate_fieldset($field.closest('fieldset.optbox'), isKeyUp, errors);
     displayErrors(errors);
 }
 
@@ -479,8 +479,8 @@
 
 AJAX.registerOnload('config.js', function () {
     // register validators and mark custom values
-    var $elements = $('input[id], select[id], textarea[id]');
-    $('input[id], select[id], textarea[id]').each(function () {
+    var $elements = $('.optbox input[id], .optbox select[id], .optbox textarea[id]');
+    $('.optbox input[id], .optbox select[id], .optbox textarea[id]').each(function () {
         markField(this);
         var $el = $(this);
         $el.bind('change', function () {
@@ -511,7 +511,7 @@
             validate_field($elements[i], false, errors);
         }
         // run all fieldset validators
-        $('fieldset').each(function () {
+        $('fieldset.optbox').each(function () {
             validate_fieldset(this, false, errors);
         });
 
--- phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php	2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php	2018-05-16 14:47:47.000000000 +0200
@@ -3116,7 +3116,7 @@
         $divider = strpos($link_relations['default_page'], '?') ? '&' : '?';
         if (empty($link_relations['link_dependancy_params'])) {
             return $link_relations['default_page']
-                . PMA_URL_getCommon($linking_url_params, 'html', $divider);
+                . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
         }
 
         foreach ($link_relations['link_dependancy_params'] as $new_param) {
@@ -3140,7 +3140,7 @@
         }
 
         return $link_relations['default_page']
-            . PMA_URL_getCommon($linking_url_params, 'html', $divider);
+            . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
     }
 
 
--- phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php	2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php	2018-05-16 15:13:54.000000000 +0200
@@ -93,9 +93,9 @@
             $logo_link = trim(
                 htmlspecialchars($GLOBALS['cfg']['NavigationLogoLink'])
             );
-            $parsed = parse_url($logo_link);
-            /* Allow only links with http/https */
-            if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https'))) {
+            // prevent XSS, see PMASA-2013-9
+            // if link has protocol, allow only http and https
+            if (! PMA_checkLink($logo_link, true)) {
                 $logo_link = 'index.php';
             }
             $retval .= '    <a href="' . $logo_link;
--- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php	2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php	2018-05-16 14:51:32.000000000 +0200
@@ -46,9 +46,7 @@
     public function applyTransformation($buffer, $options = array(), $meta = '')
     {
         $url = (isset($options[0]) ? $options[0] : '') . $buffer;
-        $parsed = parse_url($url);
-        /* Do not allow javascript links */
-        if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
+        if (! PMA_checkLink($url, true, true)) {
             return htmlspecialchars($url);
         }
         return '<a href="' . htmlspecialchars($url)
--- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php	2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php	2018-05-16 14:52:04.000000000 +0200
@@ -46,9 +46,7 @@
     public function applyTransformation($buffer, $options = array(), $meta = '')
     {
         $url = (isset($options[0]) ? $options[0] : '') . ((isset($options[2]) && $options[2]) ? '' : $buffer);
-        $parsed = parse_url($url);
-        /* Do not allow javascript links */
-        if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
+        if (! PMA_checkLink($url, true, true)) {
             return htmlspecialchars($url);
         }
         return '<a href="'
--- phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php		2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php		2018-05-16 15:10:55.000000000 +0200
@@ -12,25 +12,53 @@
 /**
  * Checks whether given link is valid
  *
- * @param string $url URL to check
+ * @param string  $url   URL to check
+ * @param boolean $http  Whether to allow http links
+ * @param boolean $other Whether to allow ftp and mailto links
  *
  * @return boolean True if string can be used as link
  */
-function PMA_checkLink($url)
+function PMA_checkLink($url, $http=false, $other=false)
 {
+    $url = strtolower($url);
     $valid_starts = array(
-        'http://',
         'https://',
-        './url.php?url=http%3A%2F%2F',
-        './url.php?url=https%3A%2F%2F',
+        './url.php?url=https%3a%2f%2f',
         './doc/html/',
+        # possible values from $GLOBALS['cfg']['DefaultTabTable'] and $GLOBALS['cfg']['DefaultTabDatabase']
+        './index.php?',
+        './server_databases.php?',
+        './server_status.php?',
+        './server_variables.php?',
+        './server_privileges.php?',
+        './db_structure.php?',
+        './db_sql.php?',
+        './db_search.php?',
+        './db_operations.php?',
+        './tbl_structure.php?',
+        './tbl_sql.php?',
+        './tbl_select.php?',
+        './tbl_change.php?',
+        './sql.php?',
+        # Hardcoded options in libraries/special_schema_links.lib.php
+        './db_events.php?',
+        './db_routines.php?',
+        './server_privileges.php?',
+        './tbl_structure.php?',
     );
+    if ($other) {
+        $valid_starts[] = 'mailto:';
+        $valid_starts[] = 'ftp://';
+    }
+    if ($http) {
+        $valid_starts[] = 'http://';
+    }
     if (defined('PMA_SETUP')) {
         $valid_starts[] = '?page=form&';
         $valid_starts[] = '?page=servers&';
     }
     foreach ($valid_starts as $val) {
-        if (/*overload*/mb_substr($url, 0, /*overload*/mb_strlen($val)) == $val) {
+        if (substr($url, 0, strlen($val)) == $val) {
             return true;
         }
     }
--- phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php	2017-01-23 20:08:47.000000000 +0100
+++ phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php	2018-05-16 14:47:47.000000000 +0200
@@ -55,7 +55,7 @@
                         'column_name' => 'host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             ),
             'table_name' => array(
                 'link_param' => 'table',
@@ -65,7 +65,7 @@
                         'column_name' => 'Db'
                     ),
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'column_name' => array(
                 'link_param' => 'field',
@@ -79,7 +79,7 @@
                         'column_name' => 'Table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php?change_column=1'
+                'default_page' => './tbl_structure.php?change_column=1'
             ),
         ),
         'db' => array(
@@ -91,7 +91,7 @@
                         'column_name' => 'host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             )
         ),
         'event' => array(
@@ -103,7 +103,7 @@
                         'column_name' => 'db'
                     )
                 ),
-                'default_page' => 'db_events.php?edit_item=1'
+                'default_page' => './db_events.php?edit_item=1'
             ),
 
         ),
@@ -116,7 +116,7 @@
                         'column_name' => 'database_name'
                     ),
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'index_name' => array(
                 'link_param' => 'index',
@@ -130,7 +130,7 @@
                         'column_name' => 'table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php'
+                'default_page' => './tbl_structure.php'
             ),
         ),
         'innodb_table_stats' => array(
@@ -142,7 +142,7 @@
                         'column_name' => 'database_name'
                     ),
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
         ),
         'proc' => array(
@@ -158,7 +158,7 @@
                         'column_name' => 'type'
                     )
                 ),
-                'default_page' => 'db_routines.php?edit_item=1'
+                'default_page' => './db_routines.php?edit_item=1'
             ),
             'specific_name' => array(
                 'link_param' => 'item_name',
@@ -172,7 +172,7 @@
                         'column_name' => 'type'
                     )
                 ),
-                'default_page' => 'db_routines.php?edit_item=1'
+                'default_page' => './db_routines.php?edit_item=1'
             ),
         ),
         'proc_priv' => array(
@@ -184,7 +184,7 @@
                         'column_name' => 'Host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             ),
             'routine_name' => array(
                 'link_param' => 'item_name',
@@ -198,7 +198,7 @@
                         'column_name' => 'Routine_type'
                     )
                 ),
-                'default_page' => 'db_routines.php?edit_item=1'
+                'default_page' => './db_routines.php?edit_item=1'
             ),
         ),
         'proxies_priv' => array(
@@ -210,7 +210,7 @@
                         'column_name' => 'Host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             ),
         ),
         'tables_priv' => array(
@@ -222,7 +222,7 @@
                         'column_name' => 'Host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             ),
             'table_name' => array(
                 'link_param' => 'table',
@@ -232,7 +232,7 @@
                         'column_name' => 'Db'
                     ),
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
         ),
         'user' => array(
@@ -244,7 +244,7 @@
                         'column_name' => 'host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             )
         )
     ),
@@ -258,7 +258,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'column_name' => array(
                 'link_param' => 'field',
@@ -272,7 +272,7 @@
                         'column_name' => 'table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php?change_column=1'
+                'default_page' => './tbl_structure.php?change_column=1'
             )
         ),
         'key_column_usage' => array(
@@ -284,7 +284,7 @@
                         'column_name' => 'constraint_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'column_name' => array(
                 'link_param' => 'field',
@@ -298,7 +298,7 @@
                         'column_name' => 'table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php?change_column=1'
+                'default_page' => './tbl_structure.php?change_column=1'
             ),
             'referenced_table_name' => array(
                 'link_param' => 'table',
@@ -308,7 +308,7 @@
                         'column_name' => 'referenced_table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'referenced_column_name' => array(
                 'link_param' => 'field',
@@ -322,7 +322,7 @@
                         'column_name' => 'referenced_table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php?change_column=1'
+                'default_page' => './tbl_structure.php?change_column=1'
             )
         ),
         'partitions' => array(
@@ -334,7 +334,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             )
         ),
         'processlist' => array(
@@ -346,7 +346,7 @@
                         'column_name' => 'host'
                     )
                 ),
-                'default_page' => 'server_privileges.php'
+                'default_page' => './server_privileges.php'
             )
         ),
         'referential_constraints' => array(
@@ -358,7 +358,7 @@
                         'column_name' => 'constraint_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'referenced_table_name' => array(
                 'link_param' => 'table',
@@ -368,7 +368,7 @@
                         'column_name' => 'constraint_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             )
         ),
         'routines' => array(
@@ -384,13 +384,13 @@
                         'column_name' => 'routine_type'
                     )
                 ),
-                'default_page' => 'db_routines.php'
+                'default_page' => './db_routines.php'
             ),
         ),
         'schemata' => array(
             'schema_name' => array(
                 'link_param' => 'db',
-                'default_page' => $GLOBALS['cfg']['DefaultTabDatabase']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabDatabase']
             )
         ),
         'statistics' => array(
@@ -402,7 +402,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
             'column_name' => array(
                 'link_param' => 'field',
@@ -416,7 +416,7 @@
                         'column_name' => 'table_name'
                     )
                 ),
-                'default_page' => 'tbl_structure.php?change_column=1'
+                'default_page' => './tbl_structure.php?change_column=1'
             )
         ),
         'tables' => array(
@@ -428,7 +428,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
         ),
         'table_constraints' => array(
@@ -440,7 +440,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
         ),
         'views' => array(
@@ -452,7 +452,7 @@
                         'column_name' => 'table_schema'
                     )
                 ),
-                'default_page' => $GLOBALS['cfg']['DefaultTabTable']
+                'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
             ),
         ),
     )