# HG changeset patch
# User Dan
# Date 1262037161 18000
# Node ID 59fee40b4644c460d3f3954efa63971fccf16b49
# Parent 80c903b0ec9cb782cc78e2face863ffd944b785c
Fixed a couple non-security sanitizer and editor bugs
diff -r 80c903b0ec9c -r 59fee40b4644 includes/clientside/static/ajax.js
--- a/includes/clientside/static/ajax.js Mon Dec 28 12:19:47 2009 -0500
+++ b/includes/clientside/static/ajax.js Mon Dec 28 16:52:41 2009 -0500
@@ -165,13 +165,14 @@
\
' + switcher + '
\
';
+ document.getElementById('ajaxEditArea').value = ajax.responseText;
// initTextareas();
if(readCookie('enano_editor_mode') == 'tinymce')
{
diff -r 80c903b0ec9c -r 59fee40b4644 includes/functions.php
--- a/includes/functions.php Mon Dec 28 12:19:47 2009 -0500
+++ b/includes/functions.php Mon Dec 28 16:52:41 2009 -0500
@@ -1852,8 +1852,8 @@
// Vulnerability reported by fuzion from nukeit.org:
// XSS in closing HTML tag style attribute
// Fix: escape all closing tags with non-whitelisted characters
- $html = preg_replace('!((?:.*)([^a-z0-9-_:]+)(?:.*))>!', '</\\1>', $html);
-
+ $html = preg_replace('!((?:[^>]*)([^a-z0-9_:>-]+)(?:[^>]*))>!i', '</\\1>', $html);
+
// Restore stripped comments
$i = 0;
foreach ( $comment_match[0] as $comment )
@@ -1870,8 +1870,9 @@
$i++;
}
+ // debug
+ // return '' . htmlspecialchars($html) . '
';
return $html;
-
}
/**