Index: /FCKeditor/trunk/_whatsnew.html
===================================================================
--- /FCKeditor/trunk/_whatsnew.html (revision 7702)
+++ /FCKeditor/trunk/_whatsnew.html (revision 7703)
@@ -34,11 +34,11 @@
FCKeditor ChangeLog - What's New?
- Version 2.6.10
+ Version 2.6.11
Fixed Bugs:
- - Minor security release:
- - Values displayed in the "About" dialog window were not properly escaped - reported by David Sopas.
-
+ - Security release, upgrade is highly recommended .
+ - XSS vulnerability in SpellerPages spell checker - reported by Robin Bailey (Dionach Ltd)
+
Index: /FCKeditor/trunk/_whatsnew_history.html
===================================================================
--- /FCKeditor/trunk/_whatsnew_history.html (revision 7702)
+++ /FCKeditor/trunk/_whatsnew_history.html (revision 7703)
@@ -33,4 +33,15 @@
FCKeditor ChangeLog - What's New?
+
+ Version 2.6.10
+
+ Fixed Bugs:
+
+ - Minor security release:
+ - Values displayed in the "About" dialog window were not properly escaped - reported by David Sopas.
+
+
+
+
Version 2.6.9
Index: /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.cfm
===================================================================
--- /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.cfm (revision 7702)
+++ /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.cfm (revision 7703)
@@ -19,5 +19,9 @@
-
+
+
+
+
+
Index: /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
===================================================================
--- /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php (revision 7702)
+++ /FCKeditor/trunk/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php (revision 7703)
@@ -14,5 +14,8 @@
$spellercss = '../spellerStyle.css'; // by FredCK
$word_win_src = '../wordWindow.js'; // by FredCK
-
+# ignore invalid data
+if (empty($_POST['textinputs']) || !is_array($_POST['textinputs'])) {
+ die();
+}
$textinputs = $_POST['textinputs']; # array
$input_separator = "A";
@@ -23,7 +26,9 @@
function print_textinputs_var() {
global $textinputs;
- foreach( $textinputs as $key=>$val ) {
+ for( $i = 0; $i < count( $textinputs ); $i++ ) {
+ if (!isset($textinputs[$i]))
+ break;
# $val = str_replace( "'", "%27", $val );
- echo "textinputs[$key] = decodeURIComponent(\"" . htmlspecialchars($val, ENT_QUOTES) . "\");\n";
+ echo "textinputs[$i] = decodeURIComponent(\"" . htmlspecialchars($textinputs[$i], ENT_QUOTES) . "\");\n";
}
}
@@ -82,4 +87,7 @@
if( $fh = fopen( $tempfile, 'w' )) {
for( $i = 0; $i < count( $textinputs ); $i++ ) {
+ # ignore invalid data
+ if (!isset($textinputs[$i]))
+ break;
$text = urldecode( $textinputs[$i] );