--- a/includes/clientside/static/ajax.js Mon Dec 28 12:19:47 2009 -0500
+++ b/includes/clientside/static/ajax.js Mon Dec 28 16:52:41 2009 -0500
@@ -165,13 +165,14 @@
<div id="mdgPreviewContainer"></div> \
<span id="switcher">' + switcher + '</span><br />\
<form name="mdgAjaxEditor" method="get" action="#" onsubmit="ajaxSavePage(); return false;">\
- <textarea id="ajaxEditArea" rows="20" cols="60" style="display: block; margin: 1em 0 1em 1em; width: 96.5%;">'+ajax.responseText+'</textarea><br />\
+ <textarea id="ajaxEditArea" rows="20" cols="60" style="display: block; margin: 1em 0 1em 1em; width: 96.5%;"></textarea><br />\
Edit summary: <input id="ajaxEditSummary" size="40" /><br />\
<input id="ajaxEditMinor" name="minor" type="checkbox" /> <label for="ajaxEditMinor">This is a minor edit</label><br />\
<a href="#" onclick="void(ajaxSavePage()); return false;">save changes</a> | <a href="#" onclick="void(ajaxShowPreview()); return false;">preview changes</a> | <a href="#" onclick="void(ajaxEditor()); return false;">revert changes</a> | <a href="#" onclick="void(ajaxDiscard()); return false;">discard changes</a>\
<br />\
'+editNotice+'\
</form>';
+ document.getElementById('ajaxEditArea').value = ajax.responseText;
// initTextareas();
if(readCookie('enano_editor_mode') == 'tinymce')
{
--- a/includes/functions.php Mon Dec 28 12:19:47 2009 -0500
+++ b/includes/functions.php Mon Dec 28 16:52:41 2009 -0500
@@ -1852,8 +1852,8 @@
// Vulnerability reported by fuzion from nukeit.org:
// XSS in closing HTML tag style attribute
// Fix: escape all closing tags with non-whitelisted characters
- $html = preg_replace('!</((?:.*)([^a-z0-9-_:]+)(?:.*))>!', '</\\1>', $html);
-
+ $html = preg_replace('!</((?:[^>]*)([^a-z0-9_:>-]+)(?:[^>]*))>!i', '</\\1>', $html);
+
// Restore stripped comments
$i = 0;
foreach ( $comment_match[0] as $comment )
@@ -1870,8 +1870,9 @@
$i++;
}
+ // debug
+ // return '<pre>' . htmlspecialchars($html) . '</pre>';
return $html;
-
}
/**