From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/row.htm |   33 +++++++++++++++------------------
 1 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/row.htm b/program/js/tiny_mce/plugins/table/row.htm
index fe75bf6..1885401 100644
--- a/program/js/tiny_mce/plugins/table/row.htm
+++ b/program/js/tiny_mce/plugins/table/row.htm
@@ -5,17 +5,17 @@
 	<script type="text/javascript" src="../../tiny_mce_popup.js"></script>
 	<script type="text/javascript" src="../../utils/mctabs.js"></script>
 	<script type="text/javascript" src="../../utils/form_utils.js"></script>
+	<script type="text/javascript" src="../../utils/validate.js"></script>
 	<script type="text/javascript" src="../../utils/editable_selects.js"></script>
 	<script type="text/javascript" src="js/row.js"></script>
 	<link href="css/row.css" rel="stylesheet" type="text/css" />
-	<base target="_self" />
 </head>
-<body id="tablerow" style="display: none">
-	<form onsubmit="updateAction();return false;">
+<body id="tablerow" style="display: none" role="application">
+	<form onsubmit="updateAction();return false;" action="#">
 		<div class="tabs">
 			<ul>
-				<li id="general_tab" class="current"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#table_dlg.general_tab}</a></span></li>
-				<li id="advanced_tab"><span><a href="javascript:mcTabs.displayTab('advanced_tab','advanced_panel');" onmousedown="return false;">{#table_dlg.advanced_tab}</a></span></li>
+				<li id="general_tab" class="current" aria-controls="general_panel"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#table_dlg.general_tab}</a></span></li>
+				<li id="advanced_tab" aria-controls="advanced_panel"><span><a href="javascript:mcTabs.displayTab('advanced_tab','advanced_panel');" onmousedown="return false;">{#table_dlg.advanced_tab}</a></span></li>
 			</ul>
 		</div>
 
@@ -24,7 +24,7 @@
 				<fieldset>
 					<legend>{#table_dlg.general_props}</legend>
 
-					<table border="0" cellpadding="4" cellspacing="0">
+					<table role="presentation" border="0" cellpadding="4" cellspacing="0">
 						<tr>
 							<td><label for="rowtype">{#table_dlg.rowtype}</label></td>
 							<td class="col2">
@@ -71,7 +71,7 @@
 
 						<tr>
 							<td><label for="height">{#table_dlg.height}</label></td>
-							<td class="col2"><input name="height" type="text" id="height" value="" size="4" maxlength="4" onchange="changedSize();" /></td>
+							<td class="col2"><input name="height" type="text" id="height" value="" size="7" maxlength="7" onchange="changedSize();" class="size" /></td>
 						</tr>
 					</table>
 				</fieldset>
@@ -81,7 +81,7 @@
 				<fieldset>
 					<legend>{#table_dlg.advanced_props}</legend>
 
-					<table border="0" cellpadding="0" cellspacing="4">
+					<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 						<tr>
 							<td class="column1"><label for="id">{#table_dlg.id}</label></td> 
 							<td><input id="id" name="id" type="text" value="" style="width: 200px" /></td> 
@@ -113,7 +113,7 @@
 						<tr>
 							<td class="column1"><label for="backgroundimage">{#table_dlg.bgimage}</label></td> 
 							<td>
-								<table border="0" cellpadding="0" cellspacing="0">
+								<table role="presentation" border="0" cellpadding="0" cellspacing="0">
 									<tr>
 										<td><input id="backgroundimage" name="backgroundimage" type="text" value="" style="width: 200px" onchange="changedBackgroundImage();" /></td>
 										<td id="backgroundimagebrowsercontainer">&nbsp;</td>
@@ -123,14 +123,16 @@
 						</tr>
 
 						<tr>
-							<td class="column1"><label for="bgcolor">{#table_dlg.bgcolor}</label></td> 
+							<td class="column1"><label for="bgcolor" id="bgcolor_label">{#table_dlg.bgcolor}</label></td> 
 							<td>
-								<table border="0" cellpadding="0" cellspacing="0">
+								<span role="group" aria-labelledby="bgcolor_label">
+								<table role="presentation" border="0" cellpadding="0" cellspacing="0">
 									<tr>
 										<td><input id="bgcolor" name="bgcolor" type="text" value="" size="9" onchange="updateColor('bgcolor_pick','bgcolor');changedColor();" /></td>
 										<td id="bgcolor_pickcontainer">&nbsp;</td>
 									</tr>
 								</table>
+								</span>
 							</td> 
 						</tr>
 					</table>
@@ -148,13 +150,8 @@
 				</select>
 			</div>
 
-			<div style="float: left">
-				<div><input type="submit" id="insert" name="insert" value="{#update}" /></div>
-			</div>
-
-			<div style="float: right">
-				<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
-			</div>
+			<input type="submit" id="insert" name="insert" value="{#update}" />
+			<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 		</div>
 	</form>
 </body>

--
Gitblit v1.9.1