From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/merge_cells.htm |   33 ++++++++++++++-------------------
 1 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/merge_cells.htm b/program/js/tiny_mce/plugins/table/merge_cells.htm
index 25d42eb..d231090 100644
--- a/program/js/tiny_mce/plugins/table/merge_cells.htm
+++ b/program/js/tiny_mce/plugins/table/merge_cells.htm
@@ -7,30 +7,25 @@
 	<script type="text/javascript" src="../../utils/validate.js"></script>
 	<script type="text/javascript" src="js/merge_cells.js"></script>
 </head>
-<body style="margin: 8px">
-<form onsubmit="mergeCells();return false;" action="#">
+<body style="margin: 8px" role="application">
+<form onsubmit="MergeCellsDialog.merge();return false;" action="#">
 	<fieldset>
 		<legend>{#table_dlg.merge_cells_title}</legend>
-		  <table border="0" cellpadding="0" cellspacing="3" width="100%">
-			  <tr>
-				<td>{#table_dlg.cols}:</td>
-				<td align="right"><input type="text" name="numcols" value="" class="number min1 mceFocus" style="width: 30px" /></td>
-			  </tr>
-			  <tr>
-				<td>{#table_dlg.rows}:</td>
-				<td align="right"><input type="text" name="numrows" value="" class="number min1" style="width: 30px" /></td>
-			  </tr>
-		  </table>
+		<table role="presentation" border="0" cellpadding="0" cellspacing="3" width="100%">
+			<tr>
+				<td><label for="numcols">{#table_dlg.cols}</label>:</td>
+				<td align="right"><input type="text" id="numcols" name="numcols" value="" class="number min1 mceFocus" style="width: 30px" aria-required="true" /></td>
+			</tr>
+			<tr>
+				<td><label for="numrows">{#table_dlg.rows}</label>:</td>
+				<td align="right"><input type="text" id="numrows" name="numrows" value="" class="number min1" style="width: 30px" aria-required="true" /></td>
+			</tr>
+		</table>
 	</fieldset>
 
 	<div class="mceActionPanel">
-		<div style="float: left">
-			<input type="submit" id="insert" name="insert" value="{#update}" />
-		</div>
-
-		<div style="float: right">
-			<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
-		</div>
+		<input type="submit" id="insert" name="insert" value="{#update}" />
+		<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 	</div>
 </form>
 </body>

--
Gitblit v1.9.1