From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/xhtmlxtras/abbr.htm |   25 +++++++++----------------
 1 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/program/js/tiny_mce/plugins/xhtmlxtras/abbr.htm b/program/js/tiny_mce/plugins/xhtmlxtras/abbr.htm
index 5800284..30a894f 100644
--- a/program/js/tiny_mce/plugins/xhtmlxtras/abbr.htm
+++ b/program/js/tiny_mce/plugins/xhtmlxtras/abbr.htm
@@ -9,13 +9,13 @@
 	<script type="text/javascript" src="js/element_common.js"></script>
 	<script type="text/javascript" src="js/abbr.js"></script>
 	<link rel="stylesheet" type="text/css" href="css/popup.css" />
-	<base target="_self" />
 </head>
-<body style="display: none">
+<body style="display: none" role="application" aria-labelledby="app_title">
+<span style="display:none;" id="app_title">{#xhtmlxtras_dlg.title_abbr_element}</span>
 <form onsubmit="insertAbbr();return false;" action="#">
 	<div class="tabs">
 		<ul>
-			<li id="general_tab" class="current"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.general_tab}</a></span></li>
+			<li id="general_tab" class="current" aria-controls="general_panel"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.general_tab}</a></span></li>
 			<!-- <li id="events_tab"><span><a href="javascript:mcTabs.displayTab('events_tab','events_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.events_tab}</a></span></li> -->
 		</ul>
 	</div>
@@ -24,7 +24,7 @@
 		<div id="general_panel" class="panel current">
 			<fieldset>
 				<legend>{#xhtmlxtras_dlg.fieldset_attrib_tab}</legend>
-				<table border="0" cellpadding="0" cellspacing="4">
+				<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 					<tr>
 						<td class="label"><label id="titlelabel" for="title">{#xhtmlxtras_dlg.attribute_label_title}</label>:</td> 
 						<td><input id="title" name="title" type="text" value="" class="field mceFocus" /></td> 
@@ -42,7 +42,7 @@
 						</td>
 					</tr>
 					<tr>
-						<td class="label"><label id="stylelabel" for="class">{#xhtmlxtras_dlg.attribute_label_style}</label>:</td> 
+						<td class="label"><label id="stylelabel" for="style">{#xhtmlxtras_dlg.attribute_label_style}</label>:</td> 
 						<td><input id="style" name="style" type="text" value="" class="field" /></td> 
 					</tr>
 					<tr>
@@ -68,7 +68,7 @@
 			<fieldset>
 				<legend>{#xhtmlxtras_dlg.fieldset_events_tab}</legend>
 
-				<table border="0" cellpadding="0" cellspacing="4">
+				<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 					<tr>
 						<td class="label"><label for="onfocus">onfocus</label>:</td> 
 						<td><input id="onfocus" name="onfocus" type="text" value="" class="field" /></td> 
@@ -133,17 +133,10 @@
 		</div>
 	</div>
 	<div class="mceActionPanel">
-		<div style="float: left">
-			<input type="submit" id="insert" name="insert" value="{#update}" />
-		</div>
-		<div style="float: left">
-			<input type="button" id="remove" name="remove" class="button" value="{#xhtmlxtras_dlg.remove}" onclick="removeAbbr();" style="display: none;" />
-		</div>
-		<div style="float: right">
-			<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
-		</div>
+		<input type="submit" id="insert" name="insert" value="{#update}" />
+		<input type="button" id="remove" name="remove" class="button" value="{#xhtmlxtras_dlg.remove}" onclick="removeAbbr();" style="display: none;" />
+		<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 	</div>
-
 </form>
 </body>
 </html>

--
Gitblit v1.9.1