From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Oct 2013 08:17:26 -0400 Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382) --- program/js/tiny_mce/themes/advanced/color_picker.htm | 48 ++++++++++++++++++++++-------------------------- 1 files changed, 22 insertions(+), 26 deletions(-) diff --git a/program/js/tiny_mce/themes/advanced/color_picker.htm b/program/js/tiny_mce/themes/advanced/color_picker.htm index 668d744..b625531 100644 --- a/program/js/tiny_mce/themes/advanced/color_picker.htm +++ b/program/js/tiny_mce/themes/advanced/color_picker.htm @@ -1,27 +1,28 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> - <title>{$lang_theme_colorpicker_title}</title> - <script language="javascript" type="text/javascript" src="../../tiny_mce_popup.js"></script> - <script language="javascript" type="text/javascript" src="../../utils/mctabs.js"></script> - <script language="javascript" type="text/javascript" src="jscripts/color_picker.js"></script> - <link href="css/colorpicker.css" rel="stylesheet" type="text/css" /> - <base target="_self" /> + <title>{#advanced_dlg.colorpicker_title}</title> + <script type="text/javascript" src="../../tiny_mce_popup.js"></script> + <script type="text/javascript" src="../../utils/mctabs.js"></script> + <script type="text/javascript" src="js/color_picker.js"></script> </head> -<body onload="tinyMCEPopup.executeOnLoad('init();');" style="display: none"> +<body id="colorpicker" style="display: none" role="application" aria-labelledby="app_label"> + <span class="mceVoiceLabel" id="app_label" style="display:none;">{#advanced_dlg.colorpicker_title}</span> +<form onsubmit="insertAction();return false" action="#"> <div class="tabs"> <ul> - <li id="picker_tab" class="current"><span><a href="javascript:mcTabs.displayTab('picker_tab','picker_panel');" onmousedown="return false;">{$lang_color_picker_tab}</a></span></li> - <li id="rgb_tab"><span><a href="#" onclick="generateWebColors();mcTabs.displayTab('rgb_tab','rgb_panel');" onmousedown="return false;">{$lang_web_colors_tab}</a></span></li> - <li id="named_tab"><span><a href="#" onclick="generateNamedColors();javascript:mcTabs.displayTab('named_tab','named_panel');" onmousedown="return false;">{$lang_named_colors_tab}</a></span></li> + <li id="picker_tab" aria-controls="picker_panel" class="current"><span><a href="javascript:mcTabs.displayTab('picker_tab','picker_panel');" onmousedown="return false;">{#advanced_dlg.colorpicker_picker_tab}</a></span></li> + <li id="rgb_tab" aria-controls="rgb_panel"><span><a href="javascript:;" onclick="mcTabs.displayTab('rgb_tab','rgb_panel');" onmousedown="return false;">{#advanced_dlg.colorpicker_palette_tab}</a></span></li> + <li id="named_tab" aria-controls="named_panel"><span><a href="javascript:;" onclick="javascript:mcTabs.displayTab('named_tab','named_panel');" onmousedown="return false;">{#advanced_dlg.colorpicker_named_tab}</a></span></li> </ul> </div> <div class="panel_wrapper"> <div id="picker_panel" class="panel current"> <fieldset> - <legend>{$lang_color_picker}</legend> + <legend>{#advanced_dlg.colorpicker_picker_title}</legend> <div id="picker"> - <img id="colorpicker" src="images/colors.jpg" onclick="computeColor(event)" onmousedown="isMouseDown = true;return false;" onmouseup="isMouseDown = false;" onmousemove="if (isMouseDown && isMouseOver) computeColor(event); return false;" onmouseover="isMouseOver=true;" onmouseout="isMouseOver=false;" /> + <img id="colors" src="img/colorpicker.jpg" onclick="computeColor(event)" onmousedown="isMouseDown = true;return false;" onmouseup="isMouseDown = false;" onmousemove="if (isMouseDown && isMouseOver) computeColor(event); return false;" onmouseover="isMouseOver=true;" onmouseout="isMouseOver=false;" alt="" /> <div id="light"> <!-- Will be filled with divs --> @@ -34,7 +35,7 @@ <div id="rgb_panel" class="panel"> <fieldset> - <legend>{$lang_web_colors}</legend> + <legend id="webcolors_title">{#advanced_dlg.colorpicker_palette_title}</legend> <div id="webcolors"> <!-- Gets filled with web safe colors--> </div> @@ -44,31 +45,26 @@ </div> <div id="named_panel" class="panel"> - <fieldset> - <legend>{$lang_named_colors}</legend> - <div id="namedcolors"> + <fieldset id="named_picker_label"> + <legend id="named_title">{#advanced_dlg.colorpicker_named_title}</legend> + <div id="namedcolors" role="listbox" tabindex="0" aria-labelledby="named_picker_label"> <!-- Gets filled with named colors--> </div> <br style="clear: both" /> <div id="colornamecontainer"> - {$lang_color_name} <span id="colorname"></span> + {#advanced_dlg.colorpicker_name} <span id="colorname"></span> </div> </fieldset> </div> </div> <div class="mceActionPanel"> - <div style="float: left"> - <input type="button" id="insert" name="insert" value="{$lang_theme_colorpicker_apply}" onclick="insertAction();" /> - </div> - - <div id="preview"></div> - - <div id="previewblock"> - <label for="color">{$lang_color}</label> <input id="color" type="text" size="8" maxlength="8" class="text" /> - </div> + <input type="submit" id="insert" name="insert" value="{#apply}" /> + <input type="button" id="cancel" name="cancel" value="{#cancel}" onclick="tinyMCEPopup.close();"/> + <div id="preview_wrapper"><div id="previewblock"><label for="color">{#advanced_dlg.colorpicker_color}</label> <input id="color" type="text" size="8" class="text mceFocus" aria-required="true" /></div><span id="preview"></span></div> </div> +</form> </body> </html> -- Gitblit v1.9.1