From 6dcaf0b4db6254f1833fe8dae295d9ddc2219276 Mon Sep 17 00:00:00 2001
From: dvz <devilshakerz@gmail.com>
Date: Sat, 4 Nov 2023 18:33:47 +0100
Subject: [PATCH] Fix Visual editor size code persistent XSS

---
 admin/modules/user/users.php     |  2 +-
 install/resources/mybb_theme.xml |  6 +++---
 install/resources/upgrade58.php  | 21 +++++++++++++++++++++
 jscripts/bbcodes_sceditor.js     |  2 +-
 4 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 install/resources/upgrade58.php

diff --git a/admin/modules/user/users.php b/admin/modules/user/users.php
index b057cccf88..6fa972cb88 100644
--- a/admin/modules/user/users.php
+++ b/admin/modules/user/users.php
@@ -943,7 +943,7 @@
 
 	<link rel="stylesheet" href="../jscripts/sceditor/themes/mybb.css" type="text/css" media="all" />
 	<script type="text/javascript" src="../jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1832"></script>
-	<script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1832"></script>
+	<script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1837"></script>
 	<script type="text/javascript" src="../jscripts/sceditor/plugins/undo.js?ver=1832"></script>
 EOF;
 	$page->output_header($lang->edit_user);
diff --git a/install/resources/mybb_theme.xml b/install/resources/mybb_theme.xml
index 73280de7d3..140a9570e7 100644
--- a/install/resources/mybb_theme.xml
+++ b/install/resources/mybb_theme.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<theme name="MyBB Master Style" version="1834">
+<theme name="MyBB Master Style" version="1837">
 	<properties>
 		<templateset><![CDATA[1]]></templateset>
 		<imgdir><![CDATA[images]]></imgdir>
@@ -14159,9 +14159,9 @@ if(use_xmlhttprequest == "1")
 <td class="trow1" width="20%"><strong>{$lang->username}</strong></td>
 <td class="trow1">{$mybb->user['username']} <span class="smalltext">[<strong><a href="member.php?action=logout&amp;logoutkey={$mybb->user['logoutkey']}">{$lang->change_user}</a></strong>]</span></td>
 </tr>]]></template>
-		<template name="codebuttons" version="1832"><![CDATA[<link rel="stylesheet" href="{$mybb->asset_url}/jscripts/sceditor/themes/{$theme['editortheme']}" type="text/css" media="all" />
+		<template name="codebuttons" version="1837"><![CDATA[<link rel="stylesheet" href="{$mybb->asset_url}/jscripts/sceditor/themes/{$theme['editortheme']}" type="text/css" media="all" />
 <script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1832"></script>
-<script type="text/javascript" src="{$mybb->asset_url}/jscripts/bbcodes_sceditor.js?ver=1832"></script>
+<script type="text/javascript" src="{$mybb->asset_url}/jscripts/bbcodes_sceditor.js?ver=1837"></script>
 <script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/plugins/undo.js?ver=1832"></script>
 <script type="text/javascript">
 var partialmode = {$mybb->settings['partialmode']},
diff --git a/install/resources/upgrade58.php b/install/resources/upgrade58.php
new file mode 100644
index 0000000000..77ea0cc084
--- /dev/null
+++ b/install/resources/upgrade58.php
@@ -0,0 +1,21 @@
+<?php
+/**
+ * MyBB 1.8
+ * Copyright 2014 MyBB Group, All Rights Reserved
+ *
+ * Website: http://www.mybb.com
+ * License: http://www.mybb.com/about/license
+ *
+ */
+
+/**
+ * Upgrade Script: 1.8.34, 1.8.35 or 1.8.36
+ */
+
+$upgrade_detail = array(
+    "revert_all_templates" => 0,
+    "revert_all_themes" => 0,
+    "revert_all_settings" => 0
+);
+
+/* Nothing to do for 1.8.34, 1.8.35 or 1.8.36 */
diff --git a/jscripts/bbcodes_sceditor.js b/jscripts/bbcodes_sceditor.js
index 61700c47bf..fbe4b89111 100644
--- a/jscripts/bbcodes_sceditor.js
+++ b/jscripts/bbcodes_sceditor.js
@@ -181,7 +181,7 @@ $(function ($) {
 				units = "",
 				parsed = parseInt(attrs.defaultattr, 10);
 			if (!isNaN(parsed)) {
-				size = attrs.defaultattr;
+				size = parsed;
 				if (size < 1) {
 					size = 1;
 				} else if (size > 50) {