From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/js/tiny_mce/plugins/table/cell.htm | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/program/js/tiny_mce/plugins/table/cell.htm b/program/js/tiny_mce/plugins/table/cell.htm
index 4afb6af..a72a8d6 100644
--- a/program/js/tiny_mce/plugins/table/cell.htm
+++ b/program/js/tiny_mce/plugins/table/cell.htm
@@ -5,6 +5,7 @@
<script type="text/javascript" src="../../tiny_mce_popup.js"></script>
<script type="text/javascript" src="../../utils/mctabs.js"></script>
<script type="text/javascript" src="../../utils/form_utils.js"></script>
+ <script type="text/javascript" src="../../utils/validate.js"></script>
<script type="text/javascript" src="../../utils/editable_selects.js"></script>
<script type="text/javascript" src="js/cell.js"></script>
<link href="css/cell.css" rel="stylesheet" type="text/css" />
@@ -70,10 +71,10 @@
<tr>
<td><label for="width">{#table_dlg.width}</label></td>
- <td><input id="width" name="width" type="text" value="" size="4" maxlength="4" onchange="changedSize();" /></td>
+ <td><input id="width" name="width" type="text" value="" size="7" maxlength="7" onchange="changedSize();" class="size" /></td>
<td><label for="height">{#table_dlg.height}</label></td>
- <td><input id="height" name="height" type="text" value="" size="4" maxlength="4" onchange="changedSize();" /></td>
+ <td><input id="height" name="height" type="text" value="" size="7" maxlength="7" onchange="changedSize();" class="size" /></td>
</tr>
<tr id="styleSelectRow">
@@ -166,6 +167,7 @@
<select id="action" name="action">
<option value="cell">{#table_dlg.cell_cell}</option>
<option value="row">{#table_dlg.cell_row}</option>
+ <option value="col">{#table_dlg.cell_col}</option>
<option value="all">{#table_dlg.cell_all}</option>
</select>
</div>
--
Gitblit v1.9.1