fix xss in debugger; move to pure-js version of visualeditor

diff --git a/debugger/action.php b/debugger/action.php
index cb9aa8e..f028723 100644 (file)
--- a/debugger/action.php
+++ b/debugger/action.php
@@ -546,6 +546,7 @@ if ($action) {
 
     <h3>Changelog</h3>
     <ul>
+        <li>2022-12-xx: fix XSS vulnerability in the debugger</li>
         <li>2022-11-28: allow to use http/2 protocol; two security issues fixed in the underlying library</li>
         <li>2020-12-11: fix problems with running the debugger on php 8</li>
         <li>2015-05-30: fix problems with generating method payloads for NIL and Undefined parameters</li>

diff --git a/debugger/controller.php b/debugger/controller.php
index 3708c76..60345df 100644 (file)
--- a/debugger/controller.php
+++ b/debugger/controller.php
@@ -198,7 +198,7 @@ $editorlibs = (defined('JSXMLRPC_PATH') ? JSXMLRPC_PATH : '../..') . '/jsxmlrpc/
         }
 
         function activateeditor() {
-            var url = '<?php echo $editorpath; ?>visualeditor.php?params=<?php echo $alt_payload; ?>';
+            var url = '<?php echo $editorpath; ?>visualeditor.html?params=<?php echo str_replace(array("\\", "'"), array( "\\\\","\\'"), $alt_payload); ?>';
             if (document.frmaction.wstype.value == "1")
                 url += '&type=jsonrpc';
             var wnd = window.open(url, '_blank', 'width=750, height=400, location=0, resizable=1, menubar=0, scrollbars=1');