From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/searchreplace/js/searchreplace.js |   28 ++++++++++++++++++++++------
 1 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/program/js/tiny_mce/plugins/searchreplace/js/searchreplace.js b/program/js/tiny_mce/plugins/searchreplace/js/searchreplace.js
index a8585cc..80284b9 100644
--- a/program/js/tiny_mce/plugins/searchreplace/js/searchreplace.js
+++ b/program/js/tiny_mce/plugins/searchreplace/js/searchreplace.js
@@ -2,14 +2,18 @@
 
 var SearchReplaceDialog = {
 	init : function(ed) {
-		var f = document.forms[0], m = tinyMCEPopup.getWindowArg("mode");
+		var t = this, f = document.forms[0], m = tinyMCEPopup.getWindowArg("mode");
 
-		this.switchMode(m);
+		t.switchMode(m);
 
 		f[m + '_panel_searchstring'].value = tinyMCEPopup.getWindowArg("search_string");
 
 		// Focus input field
 		f[m + '_panel_searchstring'].focus();
+		
+		mcTabs.onChange.add(function(tab_id, panel_id) {
+			t.switchMode(tab_id.substring(0, tab_id.indexOf('_')));
+		});
 	},
 
 	switchMode : function(m) {
@@ -42,21 +46,23 @@
 		ca = f[m + '_panel_casesensitivebox'].checked;
 		rs = f['replace_panel_replacestring'].value;
 
+		if (tinymce.isIE) {
+			r = ed.getDoc().selection.createRange();
+		}
+
 		if (s == '')
 			return;
 
 		function fix() {
 			// Correct Firefox graphics glitches
+			// TODO: Verify if this is actually needed any more, maybe it was for very old FF versions? 
 			r = se.getRng().cloneRange();
 			ed.getDoc().execCommand('SelectAll', false, null);
 			se.setRng(r);
 		};
 
 		function replace() {
-			if (tinymce.isIE)
-				ed.selection.getRng().duplicate().pasteHTML(rs); // Needs to be duplicated due to selection bug in IE
-			else
-				ed.getDoc().execCommand('InsertHTML', false, rs);
+			ed.selection.setContent(rs); // Needs to be duplicated due to selection bug in IE
 		};
 
 		// IE flags
@@ -70,11 +76,18 @@
 				ed.selection.collapse(true);
 
 				if (tinymce.isIE) {
+					ed.focus();
+					r = ed.getDoc().selection.createRange();
+
 					while (r.findText(s, b ? -1 : 1, fl)) {
 						r.scrollIntoView();
 						r.select();
 						replace();
 						fo = 1;
+
+						if (b) {
+							r.moveEnd("character", -(rs.length)); // Otherwise will loop forever
+						}
 					}
 
 					tinyMCEPopup.storeSelection();
@@ -107,6 +120,9 @@
 			return;
 
 		if (tinymce.isIE) {
+			ed.focus();
+			r = ed.getDoc().selection.createRange();
+
 			if (r.findText(s, b ? -1 : 1, fl)) {
 				r.scrollIntoView();
 				r.select();

--
Gitblit v1.9.1