From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/tiny_mce/plugins/table/js/merge_cells.js |   38 ++++++++++++++++++--------------------
 1 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/program/js/tiny_mce/plugins/table/js/merge_cells.js b/program/js/tiny_mce/plugins/table/js/merge_cells.js
index 4fd026b..7ee4bf0 100644
--- a/program/js/tiny_mce/plugins/table/js/merge_cells.js
+++ b/program/js/tiny_mce/plugins/table/js/merge_cells.js
@@ -1,29 +1,27 @@
 tinyMCEPopup.requireLangPack();
 
-function init() {
-	var f = document.forms[0], v;
+var MergeCellsDialog = {
+	init : function() {
+		var f = document.forms[0];
 
-	tinyMCEPopup.resizeToInnerSize();
+		f.numcols.value = tinyMCEPopup.getWindowArg('cols', 1);
+		f.numrows.value = tinyMCEPopup.getWindowArg('rows', 1);
+	},
 
-	f.numcols.value = tinyMCEPopup.getWindowArg('numcols', 1);
-	f.numrows.value = tinyMCEPopup.getWindowArg('numcols', 1);
-}
+	merge : function() {
+		var func, f = document.forms[0];
 
-function mergeCells() {
-	var args = [], f = document.forms[0];
+		tinyMCEPopup.restoreSelection();
 
-	tinyMCEPopup.restoreSelection();
+		func = tinyMCEPopup.getWindowArg('onaction');
 
-	if (!AutoValidator.validate(f)) {
-		alert(tinyMCEPopup.getLang('invalid_data'));
-		return false;
+		func({
+			cols : f.numcols.value,
+			rows : f.numrows.value
+		});
+
+		tinyMCEPopup.close();
 	}
+};
 
-	args["numcols"] = f.numcols.value;
-	args["numrows"] = f.numrows.value;
-
-	tinyMCEPopup.execCommand("mceTableMergeCells", false, args);
-	tinyMCEPopup.close();
-}
-
-tinyMCEPopup.onInit.add(init);
+tinyMCEPopup.onInit.add(MergeCellsDialog.init, MergeCellsDialog);

--
Gitblit v1.9.1