From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/themes/advanced/js/link.js |   30 +++++++++++++++++-------------
 1 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/program/js/tiny_mce/themes/advanced/js/link.js b/program/js/tiny_mce/themes/advanced/js/link.js
index 2974878..8c1d73c 100644
--- a/program/js/tiny_mce/themes/advanced/js/link.js
+++ b/program/js/tiny_mce/themes/advanced/js/link.js
@@ -31,7 +31,7 @@
 	},
 
 	update : function() {
-		var f = document.forms[0], ed = tinyMCEPopup.editor, e, b;
+		var f = document.forms[0], ed = tinyMCEPopup.editor, e, b, href = f.href.value.replace(/ /g, '%20');
 
 		tinyMCEPopup.restoreSelection();
 		e = ed.dom.getParent(ed.selection.getNode(), 'A');
@@ -39,7 +39,6 @@
 		// Remove element if there is no href
 		if (!f.href.value) {
 			if (e) {
-				tinyMCEPopup.execCommand("mceBeginUndoLevel");
 				b = ed.selection.getBookmark();
 				ed.dom.remove(e, 1);
 				ed.selection.moveToBookmark(b);
@@ -49,31 +48,36 @@
 			}
 		}
 
-		tinyMCEPopup.execCommand("mceBeginUndoLevel");
-
 		// Create new anchor elements
 		if (e == null) {
-			tinyMCEPopup.execCommand("CreateLink", false, "#mce_temp_url#", {skip_undo : 1});
+			ed.getDoc().execCommand("unlink", false, null);
+			tinyMCEPopup.execCommand("mceInsertLink", false, "#mce_temp_url#", {skip_undo : 1});
 
 			tinymce.each(ed.dom.select("a"), function(n) {
 				if (ed.dom.getAttrib(n, 'href') == '#mce_temp_url#') {
 					e = n;
 
 					ed.dom.setAttribs(e, {
-						href : f.href.value,
+						href : href,
 						title : f.linktitle.value,
-						target : f.target_list ? f.target_list.options[f.target_list.selectedIndex].value : null,
-						'class' : f.class_list ? f.class_list.options[f.class_list.selectedIndex].value : null
+						target : f.target_list ? getSelectValue(f, "target_list") : null,
+						'class' : f.class_list ? getSelectValue(f, "class_list") : null
 					});
 				}
 			});
 		} else {
 			ed.dom.setAttribs(e, {
-				href : f.href.value,
-				title : f.linktitle.value,
-				target : f.target_list ? f.target_list.options[f.target_list.selectedIndex].value : null,
-				'class' : f.class_list ? f.class_list.options[f.class_list.selectedIndex].value : null
+				href : href,
+				title : f.linktitle.value
 			});
+	
+			if (f.target_list) {
+				ed.dom.setAttrib(e, 'target', getSelectValue(f, "target_list"));
+			}
+
+			if (f.class_list) {
+				ed.dom.setAttrib(e, 'class', getSelectValue(f, "class_list"));
+			}
 		}
 
 		// Don't move caret if selection was image
@@ -92,7 +96,7 @@
 		if (n.value && Validator.isEmail(n) && !/^\s*mailto:/i.test(n.value) && confirm(tinyMCEPopup.getLang('advanced_dlg.link_is_email')))
 			n.value = 'mailto:' + n.value;
 
-		if (/^\s*www./i.test(n.value) && confirm(tinyMCEPopup.getLang('advanced_dlg.link_is_external')))
+		if (/^\s*www\./i.test(n.value) && confirm(tinyMCEPopup.getLang('advanced_dlg.link_is_external')))
 			n.value = 'http://' + n.value;
 	},
 

--
Gitblit v1.9.1