diff -u fckeditor-2.6.6/debian/changelog fckeditor-2.6.6/debian/changelog
--- fckeditor-2.6.6/debian/changelog
+++ fckeditor-2.6.6/debian/changelog
@@ -1,8 +1,14 @@
-fckeditor (1:2.6.6-1build0.12.04.1) precise-security; urgency=low
+fckeditor (1:2.6.6-1squeeze1build0.12.04.1) precise-security; urgency=low
 
   * fake sync from Debian
 
- -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 21 Aug 2012 12:13:29 -0500
+ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 22 Aug 2012 11:26:21 -0500
+
+fckeditor (1:2.6.6-1squeeze1) squeeze-security; urgency=high
+
+  * fixed XSS vulnerability in spellchecker (Closes: #683418) [CVE-2012-4000]
+
+ -- Frank Habermann <lordlamer@lordlamer.de>  Sat, 04 Aug 2012 00:00:00 +0200
 
 fckeditor (1:2.6.6-1) unstable; urgency=low
 
only in patch2:
unchanged:
--- fckeditor-2.6.6.orig/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.cfm
+++ fckeditor-2.6.6/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.cfm
@@ -65,7 +65,7 @@
 <!--- Generate Text Inputs --->
 <cfset i = 0>
 <cfloop list="#submitted_text#" index="textinput">
-  <cfset texts.textinputs = ListAppend(texts.textinputs, 'textinputs[#i#] = decodeURIComponent("#textinput#");', CRLF)>
+  <cfset texts.textinputs = ListAppend(texts.textinputs, 'textinputs[#i#] = decodeURIComponent("' & htmleditformat( textinput ) & '");', CRLF)>
   <cfset i = i + 1>
 </cfloop>
 
only in patch2:
unchanged:
--- fckeditor-2.6.6.orig/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.pl
+++ fckeditor-2.6.6/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.pl
@@ -18,7 +18,7 @@
 # set the 'wordtext' JavaScript variable to the submitted text.
 sub printTextVar {
 	for( my $i = 0; $i <= $#textinputs; $i++ ) {
-	        print "textinputs[$i] = decodeURIComponent('" . escapeQuote( $textinputs[$i] ) . "')\n";
+		print "textinputs[$i] = decodeURIComponent(\"" . specialchar_cnv( $textinputs[$i] ) . "\");\n";
 	}
 }
 
@@ -106,6 +106,18 @@
 	return $str;
 }
 
+sub specialchar_cnv
+{
+	local($ch) = @_;
+
+	$ch =~ s/&/&amp;/g;		# &
+	$ch =~ s/\"/&quot;/g;	#"
+	$ch =~ s/\'/&#39;/g;	# '
+	$ch =~ s/</&lt;/g;		# <
+	$ch =~ s/>/&gt;/g;		# >
+	return($ch);
+}
+
 sub handleError {
 	my $err = shift;
 	print "error = '" . escapeQuote( $err ) . "';\n";
only in patch2:
unchanged:
--- fckeditor-2.6.6.orig/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
+++ fckeditor-2.6.6/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
@@ -24,7 +24,7 @@
 	global $textinputs;
 	foreach( $textinputs as $key=>$val ) {
 		# $val = str_replace( "'", "%27", $val );
-		echo "textinputs[$key] = decodeURIComponent(\"" . $val . "\");\n";
+		echo "textinputs[$key] = decodeURIComponent(\"" . htmlspecialchars($val, ENT_QUOTES) . "\");\n";
 	}
 }