Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
// Import external list url javascriptvar url = tinyMCE.getParam("template_external_list_url");if (url != null) { // Fix relative if (url.charAt(0) != '/' && url.indexOf('://') == -1) url = tinyMCE.documentBasePath + "/" + url; document.write('<sc'+'ript language="javascript" type="text/javascript" src="' + url + '"></sc'+'ript>');}var TPU = { //Template Popup Utils currentTemplateHTML : null, templates : [], inst : tinyMCE.getInstanceById(tinyMCE.getWindowArg('editor_id')), plugin : tinyMCE.getWindowArg('pluginObj'), data : tinyMCE.selectedInstance.getData('template'), init : function() { document.forms[0].insert.value = tinyMCE.getLang('lang_' + this.data.currentAction, 'Insert', true); TPU.loadTemplatePaths(); if (this.data.currentAction == "update") document.getElementById('warning').innerHTML = tinyMCE.getLang('lang_template_warning'); this.resizeInputs(); }, loadTemplatePaths : function() { var tsrc, sel, x, u; tsrc = tinyMCE.getParam("template_templates", false); sel = document.getElementById('tpath'); // Setup external template list if (!tsrc && typeof(tinyMCETemplateList) != 'undefined') { for (x=0, tsrc = []; x<tinyMCETemplateList.length; x++) tsrc.push({title : tinyMCETemplateList[x][0], src : tinyMCETemplateList[x][1], description : tinyMCETemplateList[x][2]}); } for (x=0; x<tsrc.length; x++) { u = tsrc[x].src; // Force absolute if (u.indexOf('://') == -1 && u.indexOf('/') != 0) u = tinyMCE.documentBasePath + "/" + u; tsrc[x].src = u; } TPU.templates = tsrc; for (x = 0; x < tsrc.length; x++) sel.options[sel.options.length] = new Option(tsrc[x].title, tsrc[x].src); }, selectTemplate : function(o) { var x, d = window.frames['templatesrc'].document; this.currentTemplateHTML = this.plugin._replaceValues(this.getFileContents(o.value)); // Force complete document if (!/<body/gi.test(this.currentTemplateHTML)) { this.currentTemplateHTML = '<html xmlns="http://www.w3.org/1999/xhtml">' + '<head>' + '<title>blank_page</title>' + '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />' + '</head>' + '<body>' + this.currentTemplateHTML + '</body>' + '</html>'; } // Write HTML to preview iframe d.body.innerHTML = this.currentTemplateHTML; // Display description for (x = 0; x < TPU.templates.length; x++) { if (TPU.templates[x].src == o.value) { document.getElementById('tmpldesc').innerHTML = TPU.templates[x].description; break; } } }, insertTemplate : function() { var sel, opt; sel = document.getElementById('tpath'); opt = sel.options[sel.selectedIndex]; // Is it a template or snippet if (TPU.currentTemplateHTML.indexOf('mceTmpl')) tinyMCEPopup.execCommand('mceTemplate', false, {title : opt.text, tsrc : opt.value, body : TPU.currentTemplateHTML}); else tinyMCEPopup.execCommand('mceInsertContent', false, TPU.currentTemplateHTML); tinyMCEPopup.close(); }, getFileContents : function(u) { var x, d, t = 'text/plain'; function g(s) { x = 0; try { x = new ActiveXObject(s); } catch (s) { } return x; }; x = window.ActiveXObject ? g('Msxml2.XMLHTTP') || g('Microsoft.XMLHTTP') : new XMLHttpRequest(); // Synchronous AJAX load file x.overrideMimeType && x.overrideMimeType(t); x.open("GET", u, false); x.send(null); return x.responseText; }, resizeInputs : function() { var wHeight, wWidth, elm; if (!self.innerWidth) { wHeight = document.body.clientHeight - 160; wWidth = document.body.clientWidth - 40; } else { wHeight = self.innerHeight - 160; wWidth = self.innerWidth - 40; } elm = document.getElementById('templatesrc'); if (elm) { elm.style.height = Math.abs(wHeight) + 'px'; elm.style.width = Math.abs(wWidth - 5) + 'px'; } }};