MyBB Community Forums

Hi.
Calling action in misc.php "smilies" have a bug on typing custom javascript function popup window emotoicons inserter.

When we click on action for opening smilies window we typing action="onlick" editor name like this:

<a href="javascript:MyBB.popupWindow('/misc.php?action=smilies&amp;popup=true&amp;editor=MyBBEditor&amp;modal=1')">Emots</a>

But code in file misc.php skip this(ignore editor name), and replace Permanently this name.

$onclick = " onclick=\"MyBBEditor.insertText(' $smilie_insert ');\"";

Oryginal code.

$onclick = " onclick=\"MyBBEditor.insertText(' $smilie_insert ');\"";

It should be like this

$onclick = " onclick=\"".$mybb->input['editor'].".insertText(' $smilie_insert ');\"";

Now we can get action with any html obiect to use emotoicons with some javascript code.

<a href="javascript:MyBB.popupWindow('/misc.php?action=smilies&amp;popup=true&amp;editor=MyCustomEditor&amp;modal=1')">Emots</a>

And all work better and popup smilies can work with any custom text area where we want.

I see nothing against, except that your code is vulnerable to self-XSS and $editor should be used instead.

Sure Destroy666 any code is vulnerable to self-xss when we edit out page on browser
This is only action for generate onClick(); when emotion is clicken by mouse.

Any page is vulnerable but you'd make it a lot easier for attacker to just use a malformed input in external form, redirect or whatever..

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2396

Thanks for contributing to MyBB!

Regards,
The MyBB Group

Hi,
I wrote the wrong variable above this code i missed variable, and put without_preg_replace();
Safe change is:

$onclick = " onclick=\"".$editor.".insertText(' $smilie_insert ');\"";