From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/js/cell.js |   18 ++++++++----------
 1 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/js/cell.js b/program/js/tiny_mce/plugins/table/js/cell.js
index b5fc1fd..45e6061 100644
--- a/program/js/tiny_mce/plugins/table/js/cell.js
+++ b/program/js/tiny_mce/plugins/table/js/cell.js
@@ -83,8 +83,6 @@
 		return;
 	}
 
-	ed.execCommand('mceBeginUndoLevel');
-
 	switch (getSelectValue(formObj, 'action')) {
 		case "cell":
 			var celltype = getSelectValue(formObj, 'celltype');
@@ -166,15 +164,15 @@
 	var dom = ed.dom;
 
 	if (!skip_id)
-		td.setAttribute('id', formObj.id.value);
+		dom.setAttrib(td, 'id', formObj.id.value);
 
-	td.setAttribute('align', formObj.align.value);
-	td.setAttribute('vAlign', formObj.valign.value);
-	td.setAttribute('lang', formObj.lang.value);
-	td.setAttribute('dir', getSelectValue(formObj, 'dir'));
-	td.setAttribute('style', ed.dom.serializeStyle(ed.dom.parseStyle(formObj.style.value)));
-	td.setAttribute('scope', formObj.scope.value);
-	ed.dom.setAttrib(td, 'class', getSelectValue(formObj, 'class'));
+	dom.setAttrib(td, 'align', formObj.align.value);
+	dom.setAttrib(td, 'vAlign', formObj.valign.value);
+	dom.setAttrib(td, 'lang', formObj.lang.value);
+	dom.setAttrib(td, 'dir', getSelectValue(formObj, 'dir'));
+	dom.setAttrib(td, 'style', ed.dom.serializeStyle(ed.dom.parseStyle(formObj.style.value)));
+	dom.setAttrib(td, 'scope', formObj.scope.value);
+	dom.setAttrib(td, 'class', getSelectValue(formObj, 'class'));
 
 	// Clear deprecated attributes
 	ed.dom.setAttrib(td, 'width', '');

--
Gitblit v1.9.1