From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/js/row.js |   38 +++++++++++++++++++-------------------
 1 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/js/row.js b/program/js/tiny_mce/plugins/table/js/row.js
index 7e188c3..a13d695 100644
--- a/program/js/tiny_mce/plugins/table/js/row.js
+++ b/program/js/tiny_mce/plugins/table/js/row.js
@@ -19,7 +19,7 @@
 	var height = trimSize(getStyle(trElm, 'height', 'height'));
 	var className = dom.getAttrib(trElm, 'class');
 	var bgcolor = convertRGBToHex(getStyle(trElm, 'bgcolor', 'backgroundColor'));
-	var backgroundimage = getStyle(trElm, 'background', 'backgroundImage').replace(new RegExp("url\\('?([^']*)'?\\)", 'gi'), "$1");;
+	var backgroundimage = getStyle(trElm, 'background', 'backgroundImage').replace(new RegExp("url\\(['\"]?([^'\"]*)['\"]?\\)", 'gi'), "$1");
 	var id = dom.getAttrib(trElm, 'id');
 	var lang = dom.getAttrib(trElm, 'lang');
 	var dir = dom.getAttrib(trElm, 'dir');
@@ -56,6 +56,11 @@
 	var inst = tinyMCEPopup.editor, dom = inst.dom, trElm, tableElm, formObj = document.forms[0];
 	var action = getSelectValue(formObj, 'action');
 
+	if (!AutoValidator.validate(formObj)) {
+		tinyMCEPopup.alert(AutoValidator.getErrorMessages(formObj).join('. ') + '.');
+		return false;
+	}
+
 	tinyMCEPopup.restoreSelection();
 	trElm = dom.getParent(inst.selection.getStart(), "tr");
 	tableElm = dom.getParent(inst.selection.getStart(), "table");
@@ -79,8 +84,6 @@
 		tinyMCEPopup.close();
 		return;
 	}
-
-	inst.execCommand('mceBeginUndoLevel');
 
 	switch (action) {
 		case "row":
@@ -123,19 +126,19 @@
 
 	// Update row element
 	if (!skip_id)
-		tr_elm.setAttribute('id', formObj.id.value);
+		dom.setAttrib(tr_elm, 'id', formObj.id.value);
 
-	tr_elm.setAttribute('align', getSelectValue(formObj, 'align'));
-	tr_elm.setAttribute('vAlign', getSelectValue(formObj, 'valign'));
-	tr_elm.setAttribute('lang', formObj.lang.value);
-	tr_elm.setAttribute('dir', getSelectValue(formObj, 'dir'));
-	tr_elm.setAttribute('style', dom.serializeStyle(dom.parseStyle(formObj.style.value)));
+	dom.setAttrib(tr_elm, 'align', getSelectValue(formObj, 'align'));
+	dom.setAttrib(tr_elm, 'vAlign', getSelectValue(formObj, 'valign'));
+	dom.setAttrib(tr_elm, 'lang', formObj.lang.value);
+	dom.setAttrib(tr_elm, 'dir', getSelectValue(formObj, 'dir'));
+	dom.setAttrib(tr_elm, 'style', dom.serializeStyle(dom.parseStyle(formObj.style.value)));
 	dom.setAttrib(tr_elm, 'class', getSelectValue(formObj, 'class'));
 
 	// Clear deprecated attributes
-	tr_elm.setAttribute('background', '');
-	tr_elm.setAttribute('bgColor', '');
-	tr_elm.setAttribute('height', '');
+	dom.setAttrib(tr_elm, 'background', '');
+	dom.setAttrib(tr_elm, 'bgColor', '');
+	dom.setAttrib(tr_elm, 'height', '');
 
 	// Set styles
 	tr_elm.style.height = getCSSSize(formObj.height.value);
@@ -163,13 +166,10 @@
 		if (newParent == null) {
 			newParent = doc.createElement(dest);
 
-			if (dest == "thead") {
-				if (theTable.firstChild.nodeName == 'CAPTION')
-					inst.dom.insertAfter(newParent, theTable.firstChild);
-				else
-					theTable.insertBefore(newParent, theTable.firstChild);
-			} else
-				theTable.appendChild(newParent);
+			if (theTable.firstChild.nodeName == 'CAPTION')
+				inst.dom.insertAfter(newParent, theTable.firstChild);
+			else
+				theTable.insertBefore(newParent, theTable.firstChild);
 		}
 
 		// append the row to the new parent

--
Gitblit v1.9.1