The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.
Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
* master: (75 commits)
release preparations
Romanian language update
removed 'view original' button from new media manager again (was added in b8a84c03) and made a link around the image instead, as that is a more minor change (as it should be during the RC phase) and is what was originally planned
corrected old mediaupload introduction text
Removed obsolete Opera fix that now causes harm FS#2429
don't limit download sizes in plugin manager
Disable E_STRICT error reporting
Make Sitemapper functions static as they were used as static functions
Make this dummy file empty like all others
Update copyright year
Remove testing md5 hash from installer
Slovak language update
localization: removed strings from old flashuploader
Polish language update
readded missing "view original" button to the new media manager
always show full filename as tooltip in mediamanager
Fix sorting in media manager search (FS#2423)
make the installer check for new media dirs
do not rely on tmpfile() in the AJAX uploader backend FS#2417
Galician language update
...
This change disables the reporting of strict standard errors in PHP 5.4,
in PHP versions prior to 5.4 E_STRICT wasn't part of E_ALL so for
these versions this doesn't cause any change (however E_STRICT is
available in all versions of PHP 5 so this doesn't cause any problems).
See also FS#2427.
All calls to the Sitemapper were static function calls, this caused
notices because they weren't static, with this commit they are marked as
static. Furthermore two FIXME comments were removed as dbglog now checks
if debugging is enabled.
