[Pushed] Smilies popup - Printable Version +- MyBB Community Forums (https://community.mybb.com) +-- Forum: Development (https://community.mybb.com/forum-161.html) +--- Forum: MyBB 1.8 Development (https://community.mybb.com/forum-165.html) +---- Forum: 1.8 Bugs and Issues (https://community.mybb.com/forum-157.html) +----- Forum: Pushed (https://community.mybb.com/forum-183.html) +----- Thread: [Pushed] Smilies popup (/thread-189590.html) |
Smilies popup - glover - 2016-03-05 Hi. Calling action in misc.php "smilies" have a bug on typing custom javascript function popup window emotoicons inserter. When we click on action for opening smilies window we typing action="onlick" editor name like this: But code in file misc.php skip this(ignore editor name), and replace Permanently this name.
Oryginal code.
It should be like this
Now we can get action with any html obiect to use emotoicons with some javascript code.
And all work better and popup smilies can work with any custom text area where we want. RE: Smilies popup - Destroy666 - 2016-03-05 I see nothing against, except that your code is vulnerable to self-XSS and $editor should be used instead. RE: Smilies popup - glover - 2016-03-12 Sure Destroy666 any code is vulnerable to self-xss when we edit out page on browser This is only action for generate onClick(); when emotion is clicken by mouse. RE: Smilies popup - Destroy666 - 2016-03-12 Any page is vulnerable but you'd make it a lot easier for attacker to just use a malformed input in external form, redirect or whatever.. RE: Smilies popup - Destroy666 - 2016-04-21 Hi, Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too. Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2396 Thanks for contributing to MyBB! Regards, The MyBB Group RE: Smilies popup - glover - 2016-04-28 Hi, I wrote the wrong variable above this code i missed variable, and put without_preg_replace(); Safe change is:
|