From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/js/cell.js |   20 +++++++++-----------
 1 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/js/cell.js b/program/js/tiny_mce/plugins/table/js/cell.js
index f246191..45e6061 100644
--- a/program/js/tiny_mce/plugins/table/js/cell.js
+++ b/program/js/tiny_mce/plugins/table/js/cell.js
@@ -24,7 +24,7 @@
 	var bordercolor = convertRGBToHex(getStyle(tdElm, 'bordercolor', 'borderLeftColor'));
 	var bgcolor = convertRGBToHex(getStyle(tdElm, 'bgcolor', 'backgroundColor'));
 	var className = ed.dom.getAttrib(tdElm, 'class');
-	var backgroundimage = getStyle(tdElm, 'background', 'backgroundImage').replace(new RegExp("url\\('?([^']*)'?\\)", 'gi'), "$1");;
+	var backgroundimage = getStyle(tdElm, 'background', 'backgroundImage').replace(new RegExp("url\\(['\"]?([^'\"]*)['\"]?\\)", 'gi'), "$1");
 	var id = ed.dom.getAttrib(tdElm, 'id');
 	var lang = ed.dom.getAttrib(tdElm, 'lang');
 	var dir = ed.dom.getAttrib(tdElm, 'dir');
@@ -82,8 +82,6 @@
 		tinyMCEPopup.close();
 		return;
 	}
-
-	ed.execCommand('mceBeginUndoLevel');
 
 	switch (getSelectValue(formObj, 'action')) {
 		case "cell":
@@ -166,15 +164,15 @@
 	var dom = ed.dom;
 
 	if (!skip_id)
-		td.setAttribute('id', formObj.id.value);
+		dom.setAttrib(td, 'id', formObj.id.value);
 
-	td.setAttribute('align', formObj.align.value);
-	td.setAttribute('vAlign', formObj.valign.value);
-	td.setAttribute('lang', formObj.lang.value);
-	td.setAttribute('dir', getSelectValue(formObj, 'dir'));
-	td.setAttribute('style', ed.dom.serializeStyle(ed.dom.parseStyle(formObj.style.value)));
-	td.setAttribute('scope', formObj.scope.value);
-	ed.dom.setAttrib(td, 'class', getSelectValue(formObj, 'class'));
+	dom.setAttrib(td, 'align', formObj.align.value);
+	dom.setAttrib(td, 'vAlign', formObj.valign.value);
+	dom.setAttrib(td, 'lang', formObj.lang.value);
+	dom.setAttrib(td, 'dir', getSelectValue(formObj, 'dir'));
+	dom.setAttrib(td, 'style', ed.dom.serializeStyle(ed.dom.parseStyle(formObj.style.value)));
+	dom.setAttrib(td, 'scope', formObj.scope.value);
+	dom.setAttrib(td, 'class', getSelectValue(formObj, 'class'));
 
 	// Clear deprecated attributes
 	ed.dom.setAttrib(td, 'width', '');

--
Gitblit v1.9.1