From 055fc36541802917e3245de62bfc345655ea689e Mon Sep 17 00:00:00 2001
From: gggeek <giunta.gaetano@gmail.com>
Date: Fri, 16 Dec 2022 18:49:35 +0000
Subject: [PATCH] fix xss in debugger; move to pure-js version of visualeditor

---
 debugger/action.php     | 1 +
 debugger/controller.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debugger/action.php b/debugger/action.php
index cb9aa8ec..f028723c 100644
--- a/debugger/action.php
+++ b/debugger/action.php
@@ -546,6 +546,7 @@ if ($action) {
 
     <h3>Changelog</h3>
     <ul>
+        <li>2022-12-xx: fix XSS vulnerability in the debugger</li>
         <li>2022-11-28: allow to use http/2 protocol; two security issues fixed in the underlying library</li>
         <li>2020-12-11: fix problems with running the debugger on php 8</li>
         <li>2015-05-30: fix problems with generating method payloads for NIL and Undefined parameters</li>
diff --git a/debugger/controller.php b/debugger/controller.php
index 3708c76d..60345df3 100644
--- a/debugger/controller.php
+++ b/debugger/controller.php
@@ -198,7 +198,7 @@ $editorlibs = (defined('JSXMLRPC_PATH') ? JSXMLRPC_PATH : '../..') . '/jsxmlrpc/
         }
 
         function activateeditor() {
-            var url = '<?php echo $editorpath; ?>visualeditor.php?params=<?php echo $alt_payload; ?>';
+            var url = '<?php echo $editorpath; ?>visualeditor.html?params=<?php echo str_replace(array("\\", "'"), array( "\\\\","\\'"), $alt_payload); ?>';
             if (document.frmaction.wstype.value == "1")
                 url += '&type=jsonrpc';
             var wnd = window.open(url, '_blank', 'width=750, height=400, location=0, resizable=1, menubar=0, scrollbars=1');
-- 
2.47.0