From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/xhtmlxtras/ins.htm |   36 ++++++++++++++----------------------
 1 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/program/js/tiny_mce/plugins/xhtmlxtras/ins.htm b/program/js/tiny_mce/plugins/xhtmlxtras/ins.htm
index c0f056f..d001ac7 100644
--- a/program/js/tiny_mce/plugins/xhtmlxtras/ins.htm
+++ b/program/js/tiny_mce/plugins/xhtmlxtras/ins.htm
@@ -9,13 +9,13 @@
 	<script type="text/javascript" src="js/element_common.js"></script>
 	<script type="text/javascript" src="js/ins.js"></script>
 	<link rel="stylesheet" type="text/css" href="css/popup.css" />
-	<base target="_self" />
 </head>
-<body id="xhtmlxtrasins" style="display: none">
+<body id="xhtmlxtrasins" style="display: none" role="application" aria-labelledby="app_title">
+<span style="display:none;" id="app_title">{#xhtmlxtras_dlg.title_ins_element}</span>
 <form onsubmit="insertIns();return false;" action="#">
 	<div class="tabs">
 		<ul>
-			<li id="general_tab" class="current"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.general_tab}</a></span></li>
+			<li id="general_tab" class="current" aria-controls="general_panel"><span><a href="javascript:mcTabs.displayTab('general_tab','general_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.general_tab}</a></span></li>
 			<!-- <li id="events_tab"><span><a href="javascript:mcTabs.displayTab('events_tab','events_panel');" onmousedown="return false;">{#xhtmlxtras_dlg.events_tab}</a></span></li> -->
 		</ul>
 	</div>
@@ -24,19 +24,19 @@
 		<div id="general_panel" class="panel current">
 			<fieldset>
 				<legend>{#xhtmlxtras_dlg.fieldset_general_tab}</legend>
-				<table border="0" cellpadding="0" cellspacing="4">
+				<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 					<tr>
 						<td class="label"><label id="datetimelabel" for="datetime">{#xhtmlxtras_dlg.attribute_label_datetime}</label>:</td> 
 						<td>
-							<table border="0" cellspacing="0" cellpadding="0">
+							<table role="presentation" border="0" cellspacing="0" cellpadding="0">
 								<tr> 
 									<td><input id="datetime" name="datetime" type="text" value="" maxlength="19" class="field mceFocus" /></td> 
-									<td><a href="javascript:insertDateTime('datetime');" onmousedown="return false;" class="browse"><span class="datetime" alt="{#xhtmlxtras_dlg.insert_date}" title="{#xhtmlxtras_dlg.insert_date}"></span></a></td>
+									<td ><a href="javascript:insertDateTime('datetime');" onmousedown="return false;" class="browse" role="button" aria-labelledby="datetimelabel"><span class="datetime" title="{#xhtmlxtras_dlg.insert_date}"></span></a></td>
 								</tr>
 							</table>
 						</td>
 					</tr>
-					<tr>
+					<tr >
 						<td class="label"><label id="citelabel" for="cite">{#xhtmlxtras_dlg.attribute_label_cite}</label>:</td> 
 						<td><input id="cite" name="cite" type="text" value="" class="field" /></td> 
 					</tr>
@@ -44,9 +44,9 @@
 			</fieldset>
 			<fieldset>
 				<legend>{#xhtmlxtras_dlg.fieldset_attrib_tab}</legend>
-				<table border="0" cellpadding="0" cellspacing="4">
+				<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 					<tr>
-						<td class="label"><label id="titlelabel" for="title">{#xhtmlxtras_dlg.attribute_label_title}</label>:</td> 
+						<td  class="label"><label id="titlelabel" for="title">{#xhtmlxtras_dlg.attribute_label_title}</label>:</td> 
 						<td><input id="title" name="title" type="text" value="" class="field" /></td> 
 					</tr>
 					<tr>
@@ -62,7 +62,7 @@
 						</td>
 					</tr>
 					<tr>
-						<td class="label"><label id="stylelabel" for="class">{#xhtmlxtras_dlg.attribute_label_style}</label>:</td> 
+						<td class="label"><label id="stylelabel" for="style">{#xhtmlxtras_dlg.attribute_label_style}</label>:</td> 
 						<td><input id="style" name="style" type="text" value="" class="field" /></td> 
 					</tr>
 					<tr>
@@ -88,7 +88,7 @@
 			<fieldset>
 				<legend>{#xhtmlxtras_dlg.fieldset_events_tab}</legend>
 
-				<table border="0" cellpadding="0" cellspacing="4">
+				<table role="presentation" border="0" cellpadding="0" cellspacing="4">
 					<tr>
 						<td class="label"><label for="onfocus">onfocus</label>:</td> 
 						<td><input id="onfocus" name="onfocus" type="text" value="" class="field" /></td> 
@@ -153,18 +153,10 @@
 		</div>
 	</div>
 	<div class="mceActionPanel">
-		<div style="float: left">
-			<input type="submit" id="insert" name="insert" value="{#update}" />
-		</div>
-		<div style="float: left">
-			<input type="button" id="remove" name="remove" class="button" value="{#xhtmlxtras_dlg.remove}" onclick="removeIns();" style="display: none;" />
-		</div>
-		<div style="float: right">
-			<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
-		</div>
+		<input type="submit" id="insert" name="insert" value="{#update}" />
+		<input type="button" id="remove" name="remove" class="button" value="{#xhtmlxtras_dlg.remove}" onclick="removeIns();" style="display: none;" />
+		<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 	</div>
-
 </form>
-
 </body>
 </html>

--
Gitblit v1.9.1