From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/merge_cells.htm |   48 +++++++++++++++++++++---------------------------
 1 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/merge_cells.htm b/program/js/tiny_mce/plugins/table/merge_cells.htm
index 10896bf..d231090 100644
--- a/program/js/tiny_mce/plugins/table/merge_cells.htm
+++ b/program/js/tiny_mce/plugins/table/merge_cells.htm
@@ -1,37 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-	<title>{$lang_table_merge_cells_title}</title>
-	<script language="javascript" type="text/javascript" src="../../tiny_mce_popup.js"></script>
-	<script language="javascript" type="text/javascript" src="../../utils/mctabs.js"></script>
-	<script language="javascript" type="text/javascript" src="../../utils/validate.js"></script>
-	<script language="javascript" type="text/javascript" src="jscripts/merge_cells.js"></script>
-	<base target="_self" />
+	<title>{#table_dlg.merge_cells_title}</title>
+	<script type="text/javascript" src="../../tiny_mce_popup.js"></script>
+	<script type="text/javascript" src="../../utils/mctabs.js"></script>
+	<script type="text/javascript" src="../../utils/validate.js"></script>
+	<script type="text/javascript" src="js/merge_cells.js"></script>
 </head>
-<body onload="tinyMCEPopup.executeOnLoad('init();');" style="margin: 8px" style="display: none">
-<form onsubmit="insertTable();return false;" action="#">
+<body style="margin: 8px" role="application">
+<form onsubmit="MergeCellsDialog.merge();return false;" action="#">
 	<fieldset>
-		<legend>{$lang_table_merge_cells_title}</legend>
-		  <table border="0" cellpadding="0" cellspacing="3" width="100%">
-			  <tr>
-				<td>{$lang_table_cols}:</td>
-				<td align="right"><input type="text" name="numcols" value="" class="number min1" style="width: 30px" /></td>
-				<td>
-			  </tr>
-			  <tr>
-				<td>{$lang_table_rows}:</td>
-				<td align="right"><input type="text" name="numrows" value="" class="number min1" style="width: 30px" /></td>
-			  </tr>
-		  </table>
+		<legend>{#table_dlg.merge_cells_title}</legend>
+		<table role="presentation" border="0" cellpadding="0" cellspacing="3" width="100%">
+			<tr>
+				<td><label for="numcols">{#table_dlg.cols}</label>:</td>
+				<td align="right"><input type="text" id="numcols" name="numcols" value="" class="number min1 mceFocus" style="width: 30px" aria-required="true" /></td>
+			</tr>
+			<tr>
+				<td><label for="numrows">{#table_dlg.rows}</label>:</td>
+				<td align="right"><input type="text" id="numrows" name="numrows" value="" class="number min1" style="width: 30px" aria-required="true" /></td>
+			</tr>
+		</table>
 	</fieldset>
 
 	<div class="mceActionPanel">
-		<div style="float: left">
-			<input type="button" id="insert" name="insert" value="{$lang_update}" onclick="mergeCells();" />
-		</div>
-
-		<div style="float: right">
-			<input type="button" id="cancel" name="cancel" value="{$lang_cancel}" onclick="tinyMCEPopup.close();" />
-		</div>
+		<input type="submit" id="insert" name="insert" value="{#update}" />
+		<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 	</div>
 </form>
 </body>

--
Gitblit v1.9.1