From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/themes/advanced/anchor.htm |   20 +++++++-------------
 1 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/program/js/tiny_mce/themes/advanced/anchor.htm b/program/js/tiny_mce/themes/advanced/anchor.htm
index 9e4c0b9..75c93b7 100644
--- a/program/js/tiny_mce/themes/advanced/anchor.htm
+++ b/program/js/tiny_mce/themes/advanced/anchor.htm
@@ -4,28 +4,22 @@
 	<title>{#advanced_dlg.anchor_title}</title>
 	<script type="text/javascript" src="../../tiny_mce_popup.js"></script>
 	<script type="text/javascript" src="js/anchor.js"></script>
-	<base target="_self" />
 </head>
-<body style="display: none">
+<body style="display: none" role="application" aria-labelledby="app_title">
 <form onsubmit="AnchorDialog.update();return false;" action="#">
-	<table border="0" cellpadding="4" cellspacing="0">
+	<table border="0" cellpadding="4" cellspacing="0" role="presentation">
 		<tr>
-			<td colspan="2" class="title">{#advanced_dlg.anchor_title}</td>
+			<td colspan="2" class="title" id="app_title">{#advanced_dlg.anchor_title}</td>
 		</tr>
 		<tr>
-			<td nowrap="nowrap">{#advanced_dlg.anchor_name}:</td>
-			<td><input name="anchorName" type="text" class="mceFocus" id="anchorName" value="" style="width: 200px" /></td>
+			<td class="nowrap"><label for="anchorName">{#advanced_dlg.anchor_name}:</label></td>
+			<td><input name="anchorName" type="text" class="mceFocus" id="anchorName" value="" style="width: 200px" aria-required="true" /></td>
 		</tr>
 	</table>
 
 	<div class="mceActionPanel">
-		<div style="float: left">
-			<input type="submit" id="insert" name="insert" value="{#update}" />
-		</div>
-
-		<div style="float: right">
-			<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
-		</div>
+		<input type="submit" id="insert" name="insert" value="{#update}" />
+		<input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();" />
 	</div>
 </form>
 </body>

--
Gitblit v1.9.1