update docs; bump version nr

NEWS.md

@@ -1,3 +1,14 @@
+## XML-RPC for PHP version 4.9.2 - 2022-12-18
+
+* security fix: removed the possibility of an XSS attack in the debugger.
+  Since the debugger is not designed to be exposed to end users but only to the developers using this library, and in
+  the default configuration it is not exposed to requests from the web, the severity of this issue can be considered low.
+
+* improved: the debugger now uses jsxmlrpc lib version 0.6. It loads it from a cdn rather than locally.
+  It also can make use of a 2nd constant to help telling it where the visual-editor form the jsxmlrpc lib is located,
+  in case its path on disk relative to the debugger and its url relative to the web root do not match.
+
+
 ## XML-RPC for PHP version 4.9.1 - 2022-12-12
 
 * fixed: php warnings on php 8.2. This includes preferring usage of mbstring for converting between Latin1 and UTF8

debugger/action.php

@@ -22,7 +22,7 @@
         body {
             border-top: 1px solid gray;
             padding: 1em;
-            font-family: Verdana, Arial, Helvetica;
+            font-family: Verdana, Arial, Helvetica, sans-serif;
             font-size: 8pt;
         }
 
@@ -544,7 +544,7 @@
 
     <h3>Changelog</h3>
     <ul>
-        <li>2022-12-xx: fix XSS vulnerability in the debugger</li>
+        <li>2022-12-18: fix XSS vulnerability in the debugger; load jsxmlrpc from CDN</li>
         <li>2022-11-28: allow to use http/2 protocol; two security issues fixed in the underlying library</li>
         <li>2020-12-11: fix problems with running the debugger on php 8</li>
         <li>2015-05-30: fix problems with generating method payloads for NIL and Undefined parameters</li>

src/PhpXmlRpc.php

@@ -92,7 +92,7 @@ class PhpXmlRpc
     public static $xmlrpc_internalencoding = "UTF-8";
 
     public static $xmlrpcName = "XML-RPC for PHP";
-    public static $xmlrpcVersion = "4.9.1";
+    public static $xmlrpcVersion = "4.9.2";
 
     // let user errors start at 800
     public static $xmlrpcerruser = 800;