Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix MyCode message formatting XSS in visual editor
  • Loading branch information
dvz committed Aug 9, 2020
1 parent 1b25406 commit 37ad29d
Showing 1 changed file with 6 additions and 7 deletions.
13 changes: 6 additions & 7 deletions jscripts/bbcodes_sceditor.js
Expand Up @@ -58,7 +58,7 @@ $(function ($) {
$.sceditor.formats.bbcode
.set('align', {
html: function (element, attrs, content) {
return '<div align="' + (attrs.defaultattr || 'left') + '">' + content + '</div>';
return '<div align="' + ($.sceditor.escapeEntities(attrs.defaultattr) || 'left') + '">' + content + '</div>';
},
isInline: false
});
Expand Down Expand Up @@ -168,7 +168,7 @@ $(function ($) {
if (size < 0) {
size = 0;
}
return '<font data-scefontsize="' + attrs.defaultattr + '" size="' + size + '">' + content + '</font>';
return '<font data-scefontsize="' + $.sceditor.escapeEntities(attrs.defaultattr) + '" size="' + size + '">' + content + '</font>';
}
});

Expand Down Expand Up @@ -218,7 +218,6 @@ $(function ($) {
var author = '',
$elm = $(element),
$cite = $elm.children('cite').first();
$cite.html($cite.text());

if ($cite.length === 1 || $elm.data('author')) {
author = $cite.text() || $elm.data('author');
Expand All @@ -244,13 +243,13 @@ $(function ($) {
var data = '';

if (attrs.pid)
data += ' data-pid="' + attrs.pid + '"';
data += ' data-pid="' + $.sceditor.escapeEntities(attrs.pid) + '"';

if (attrs.dateline)
data += ' data-dateline="' + attrs.dateline + '"';
data += ' data-dateline="' + $.sceditor.escapeEntities(attrs.dateline) + '"';

if (typeof attrs.defaultattr !== "undefined")
content = '<cite>' + attrs.defaultattr.replace(/ /g, '&nbsp;') + '</cite>' + content;
content = '<cite>' + $.sceditor.escapeEntities(attrs.defaultattr).replace(/ /g, '&nbsp;') + '</cite>' + content;

return '<blockquote' + data + '>' + content + '</blockquote>';
},
Expand Down Expand Up @@ -280,7 +279,7 @@ $(function ($) {
html: function (token, attrs, content) {
if (typeof attrs.defaultattr == 'string' && attrs.defaultattr != '' && attrs.defaultattr != '{defaultattr}') {
return '<font face="' +
attrs.defaultattr +
$.sceditor.escapeEntities(attrs.defaultattr) +
'">' + content + '</font>';
} else {
return content;
Expand Down

5 comments on commit 37ad29d

@YashvirGaming
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

**### Hello please make plugin for Custom Postbit background please man
Why you guys neglecting this feature on Mybb
I want to preview a Gif image behind my avatar

Tried lot of methods from mybb community nothing works.**

@rajat315315
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

**### Hello please make plugin for Custom Postbit background please man
Why you guys neglecting this feature on Mybb
I want to preview a Gif image behind my avatar

Tried lot of methods from mybb community nothing works.**

I think its not difficult..
Do you want to preview gif image only behind your avatar or you want to let anybody upload a gif for avatar?

@YashvirGaming
Copy link

@YashvirGaming YashvirGaming commented on 37ad29d Aug 25, 2020 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rajat315315
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello sir, I want to upload gift behind my avatar only and also allowed only selected user group to do so Is that possible?

On Tue, 25 Aug 2020, 20:41 Rajat Jain, @.***> wrote: ### Hello please make plugin for Custom Postbit background please man Why you guys neglecting this feature on Mybb I want to preview a Gif image behind my avatar Tried lot of methods from mybb community nothing works. I think its not difficult.. Do you want to preview gif image only behind your avatar or you want to let anybody upload a gif for avatar? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <37ad29d#commitcomment-41758890>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APO4GSC6UTNHT3SIA4LK3MLSCPSS3ANCNFSM4QKWUZVA .

Yes, it is possible... Not difficult.
Communicate on my email: rajatjain.ix@gmail.com

@Stefan-MyBB
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do not hijack a ticket for a completely unrelated question. That's annoying for users receiving notifications.

Please sign in to comment.