On mar., 2012-07-31 at 21:56 +0200, Frank Habermann wrote: > Hi, > > > an XSS vulnerability was found in fckeditor before 2.6.7. Please try to > > fix the problem using an isolated fix since we are in freeze. > > > > More info can be found at > > http://disse.cting.org/2012/06/22/fckeditor-reflected-xss-vulnerability/ > Thanks for the advice. > I found no official solution at the moment. > > My soltions for the moment are: > > 1. change line 27 to: > echo "textinputs[$key] = decodeURIComponent(\"" . htmlentities($val, > ENT_COMPAT) . "\");\n"; > 2. change line 27 to: > echo "textinputs[$key] = decodeURIComponent(\"" . htmlspecialchars($val, > ENT_QUOTES) . "\");\n"; > > Both soltuins work for me. > > I will try to contact upstream to find a solution.
And can you check if ckeditor is affected too? -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
