Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp	(revision 913)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp	(revision 914)
@@ -50,15 +50,15 @@
 	Public	File, Form
 	Private oSourceData
-	Private nMaxSize, nErr, sAllowed, sDenied
-	
+	Private nMaxSize, nErr, sAllowed, sDenied, sHtmlExtensions
+
 	Private Sub Class_Initialize
 		nErr		= 0
 		nMaxSize	= 1048576
-		
+
 		Set File			= Server.CreateObject("Scripting.Dictionary")
 		File.CompareMode	= 1
 		Set Form			= Server.CreateObject("Scripting.Dictionary")
 		Form.CompareMode	= 1
-		
+
 		Set oSourceData		= Server.CreateObject("ADODB.Stream")
 		oSourceData.Type	= 1
@@ -66,5 +66,5 @@
 		oSourceData.Open
 	End Sub
-	
+
 	Private Sub Class_Terminate
 		Form.RemoveAll
@@ -72,9 +72,9 @@
 		File.RemoveAll
 		Set File = Nothing
-		
+
 		oSourceData.Close
 		Set oSourceData = Nothing
 	End Sub
-	
+
 	Public Property Get Version
 		Version = "NetRube Upload Class Version 2.3 Build 20070528"
@@ -84,15 +84,19 @@
 		ErrNum	= nErr
 	End Property
-	
+
 	Public Property Let MaxSize(nSize)
 		nMaxSize	= nSize
 	End Property
-	
+
 	Public Property Let Allowed(sExt)
 		sAllowed	= sExt
 	End Property
-	
+
 	Public Property Let Denied(sExt)
 		sDenied	= sExt
+	End Property
+
+	Public Property Let HtmlExtensions(sExt)
+		sHtmlExtensions	= sExt
 	End Property
 
@@ -108,5 +112,5 @@
 			Exit Sub
 		End If
-		
+
 		Dim nTotalSize
 		nTotalSize	= Request.TotalBytes
@@ -119,5 +123,5 @@
 			Exit Sub
 		End If
-		
+
 		'Thankful long(yrl031715@163.com)
 		'Fix upload large file.
@@ -137,5 +141,5 @@
 			'分块读取
 			nPartBytes = 64 * 1024 '分成每块64k
-			If nPartBytes + ReadBytes > nTotalBytes Then 
+			If nPartBytes + ReadBytes > nTotalBytes Then
 				nPartBytes = nTotalBytes - ReadBytes
 			End If
@@ -145,7 +149,7 @@
 		'**********************************************
 		oSourceData.Position = 0
-		
+
 		Dim oTotalData, oFormStream, sFormHeader, sFormName, bCrLf, nBoundLen, nFormStart, nFormEnd, nPosStart, nPosEnd, sBoundary
-		
+
 		oTotalData	= oSourceData.Read
 		bCrLf		= ChrB(13) & ChrB(10)
@@ -153,10 +157,10 @@
 		nBoundLen	= LenB(sBoundary) + 2
 		nFormStart	= nBoundLen
-		
+
 		Set oFormStream = Server.CreateObject("ADODB.Stream")
-		
+
 		Do While (nFormStart + 2) < nTotalSize
 			nFormEnd	= InStrB(nFormStart, oTotalData, bCrLf & bCrLf) + 3
-			
+
 			With oFormStream
 				.Type	= 1
@@ -171,10 +175,10 @@
 				.Close
 			End With
-			
+
 			nFormStart	= InStrB(nFormEnd, oTotalData, sBoundary) - 1
 			nPosStart	= InStr(22, sFormHeader, " name=", 1) + 7
 			nPosEnd		= InStr(nPosStart, sFormHeader, """")
 			sFormName	= Mid(sFormHeader, nPosStart, nPosEnd - nPosStart)
-			
+
 			If InStr(45, sFormHeader, " filename=", 1) > 0 Then
 				Set File(sFormName)			= New NetRube_FileInfo
@@ -204,8 +208,8 @@
 				End With
 			End If
-			
+
 			nFormStart	= nFormStart + nBoundLen
 		Loop
-		
+
 		oTotalData = ""
 		Set oFormStream = Nothing
@@ -217,15 +221,42 @@
 			Exit Sub
 		End If
-		
+
 		If Not IsAllowed(File(sItem).Ext) Then
 			nErr = 4
 			Exit Sub
 		End If
-		
+
 		If InStr( LCase( sFileName ), "::$data" ) > 0 Then
 			nErr = 4
 			Exit Sub
 		End If
-		
+
+		Dim sFileExt, iFileSize
+		sFileExt	= File(sItem).Ext
+		iFileSize	= File(sItem).Size
+
+		' Check XSS.
+		If Not IsHtmlExtension( sFileExt ) Then
+			' Calculate the size of data to load (max 1Kb).
+			Dim iXSSSize
+			iXSSSize = iFileSize
+
+			If iXSSSize > 1024 Then
+				iXSSSize = 1024
+			End If
+
+			' Read the data.
+			Dim sData
+			oSourceData.Position = File(sItem).Start
+			sData = oSourceData.Read( iXSSSize )	' Byte Array
+			sData = ByteArray2Text( sData )			' String
+
+			' Sniff HTML data.
+			If SniffHtml( sData ) Then
+				nErr = 4
+				Exit Sub
+			End If
+		End If
+
 		Dim oFileStream
 		Set oFileStream = Server.CreateObject("ADODB.Stream")
@@ -242,5 +273,5 @@
 		Set oFileStream = Nothing
 	End Sub
-	
+
 	Private Function IsAllowed(sExt)
 		Dim oRE
@@ -248,5 +279,5 @@
 		oRE.IgnoreCase	= True
 		oRE.Global		= True
-		
+
 		If sDenied = "" Then
 			oRE.Pattern	= sAllowed
@@ -256,7 +287,63 @@
 			IsAllowed	= Not oRE.Test(sExt)
 		End If
-		
+
 		Set oRE	= Nothing
 	End Function
+
+	Private Function IsHtmlExtension( sExt )
+		If sHtmlExtensions = "" Then
+			Exit Function
+		End If
+
+		Dim oRE
+		Set oRE = New RegExp
+		oRE.IgnoreCase	= True
+		oRE.Global		= True
+		oRE.Pattern		= sHtmlExtensions
+
+		IsHtmlExtension = oRE.Test(sExt)
+
+		Set oRE	= Nothing
+	End Function
+
+	Private Function SniffHtml( sData )
+
+		Dim oRE
+		Set oRE = New RegExp
+		oRE.IgnoreCase	= True
+		oRE.Global		= True
+
+		Dim aPatterns
+		aPatterns = Array( "<!DOCTYPE\W*X?HTML", "<(body|head|html|img|pre|script|table|title)", "type\s*=\s*[\'""]?\s*(?:\w*/)?(?:ecma|java)", "(?:href|src|data)\s*=\s*[\'""]?\s*(?:ecma|java)script:", "url\s*\(\s*[\'""]?\s*(?:ecma|java)script:" )
+
+		Dim i
+		For i = 0 to UBound( aPatterns )
+			oRE.Pattern = aPatterns( i )
+			If oRE.Test( sData ) Then
+				SniffHtml = True
+				Exit Function
+			End If
+		Next
+
+		SniffHtml = False
+
+	End Function
+
+	' Thanks to http://www.ericphelps.com/q193998/index.htm
+	Private Function ByteArray2Text(varByteArray)
+		Dim strData, strBuffer, lngCounter
+		strData = ""
+		strBuffer = ""
+		For lngCounter = 0 to UBound(varByteArray)
+			strBuffer = strBuffer & Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
+			'Keep strBuffer at 1k bytes maximum
+			If lngCounter Mod 1024 = 0 Then
+				strData = strData & strBuffer
+				strBuffer = ""
+			End If
+		Next
+		ByteArray2Text = strData & strBuffer
+	End Function
+
 End Class
 
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/commands.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/commands.asp	(revision 913)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/commands.asp	(revision 914)
@@ -140,4 +140,5 @@
 	oUploader.Allowed	= ConfigAllowedExtensions.Item( resourceType )
 	oUploader.Denied	= ConfigDeniedExtensions.Item( resourceType )
+	oUploader.HtmlExtensions = ConfigHtmlExtensions
 	oUploader.GetData
 
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp	(revision 913)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp	(revision 914)
@@ -48,4 +48,8 @@
 ConfigAllowedTypes = "File|Image|Flash|Media"
 
+' For security, HTML is allowed in the first Kb of data for files having the
+' following extensions only.
+Dim ConfigHtmlExtensions
+ConfigHtmlExtensions = "html|htm|xml|xsd|txt|js"
 '
 '	Configuration settings for each Resource Type