Merged 8.7.14.
xjm
commit
5bccfd2575
|
|
@ -0,0 +1,104 @@
|
|||
/**
|
||||
* For jQuery versions less than 3.5.0, this replaces the jQuery.htmlPrefilter()
|
||||
* function with one that fixes these security vulnerabilities while also
|
||||
* retaining the pre-3.5.0 behavior where it's safe to do so.
|
||||
* - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
|
||||
* - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
|
||||
*/
|
||||
|
||||
(function (jQuery) {
|
||||
|
||||
// No backport is needed if we're already on jQuery 3.5 or higher.
|
||||
var versionParts = jQuery.fn.jquery.split('.');
|
||||
var majorVersion = parseInt(versionParts[0]);
|
||||
var minorVersion = parseInt(versionParts[1]);
|
||||
if ( (majorVersion > 3) || (majorVersion === 3 && minorVersion >= 5) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Prior to jQuery 3.5, jQuery converted XHTML-style self-closing tags to
|
||||
// their XML equivalent: e.g., "<div />" to "<div></div>". This is
|
||||
// problematic for several reasons, including that it's vulnerable to XSS
|
||||
// attacks. However, since this was jQuery's behavior for many years, many
|
||||
// Drupal modules and jQuery plugins may be relying on it. Therefore, we
|
||||
// preserve that behavior, but for a limited set of tags only, that we believe
|
||||
// to not be vulnerable. This is the set of HTML tags that satisfy all of the
|
||||
// following conditions:
|
||||
// - In DOMPurify's list of HTML tags. If an HTML tag isn't safe enough to
|
||||
// appear in that list, then we don't want to mess with it here either.
|
||||
// @see https://github.com/cure53/DOMPurify/blob/2.0.11/dist/purify.js#L128
|
||||
// - A normal element (not a void, template, text, or foreign element).
|
||||
// @see https://html.spec.whatwg.org/multipage/syntax.html#elements-2
|
||||
// - An element that is still defined by the current HTML specification
|
||||
// (not a deprecated element), because we do not want to rely on how
|
||||
// browsers parse deprecated elements.
|
||||
// @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element
|
||||
// - Not 'html', 'head', or 'body', because this pseudo-XHTML expansion is
|
||||
// designed for fragments, not entire documents.
|
||||
// - Not 'colgroup', because due to an idiosyncrasy of jQuery's original
|
||||
// regular expression, it didn't match on colgroup, and we don't want to
|
||||
// introduce a behavior change for that.
|
||||
var selfClosingTagsToReplace = [
|
||||
'a', 'abbr', 'address', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo',
|
||||
'blockquote', 'button', 'canvas', 'caption', 'cite', 'code', 'data',
|
||||
'datalist', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em',
|
||||
'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3',
|
||||
'h4', 'h5', 'h6', 'header', 'hgroup', 'i', 'ins', 'kbd', 'label', 'legend',
|
||||
'li', 'main', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup',
|
||||
'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt',
|
||||
'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span',
|
||||
'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th',
|
||||
'thead', 'time', 'tr', 'u', 'ul', 'var', 'video'
|
||||
];
|
||||
|
||||
// Define regular expressions for <TAG/> and <TAG ATTRIBUTES/>. Doing this as
|
||||
// two expressions makes it easier to target <a/> without also targeting
|
||||
// every tag that starts with "a".
|
||||
var xhtmlRegExpGroup = '(' + selfClosingTagsToReplace.join('|') + ')';
|
||||
var whitespace = '[\\x20\\t\\r\\n\\f]';
|
||||
var rxhtmlTagWithoutSpaceOrAttributes = new RegExp('<' + xhtmlRegExpGroup + '\\/>', 'gi');
|
||||
var rxhtmlTagWithSpaceAndMaybeAttributes = new RegExp('<' + xhtmlRegExpGroup + '(' + whitespace + '[^>]*)\\/>', 'gi');
|
||||
|
||||
// jQuery 3.5 also fixed a vulnerability for when </select> appears within
|
||||
// an <option> or <optgroup>, but it did that in local code that we can't
|
||||
// backport directly. Instead, we filter such cases out. To do so, we need to
|
||||
// determine when jQuery would otherwise invoke the vulnerable code, which it
|
||||
// uses this regular expression to determine. The regular expression changed
|
||||
// for version 3.4.0.
|
||||
// @see https://github.com/jquery/jquery/blob/3.2.1/dist/jquery.js#L4695
|
||||
// @see https://github.com/jquery/jquery/blob/3.4.0/dist/jquery.js#L4712
|
||||
var rtagName;
|
||||
if (minorVersion < 4) {
|
||||
rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]+)/i;
|
||||
}
|
||||
else {
|
||||
rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]*)/i;
|
||||
}
|
||||
|
||||
jQuery.extend({
|
||||
htmlPrefilter: function (html) {
|
||||
// This is how jQuery determines the first tag in the HTML.
|
||||
// @see https://github.com/jquery/jquery/blob/3.2.1/dist/jquery.js#L4794
|
||||
var tag = ( rtagName.exec( html ) || [ "", "" ] )[ 1 ].toLowerCase();
|
||||
|
||||
// It is not valid HTML for <option> or <optgroup> to have <select> as
|
||||
// either a descendant or sibling, and attempts to inject one can cause
|
||||
// XSS on jQuery versions before 3.5. Since this is invalid HTML and a
|
||||
// possible XSS attack, reject the entire string.
|
||||
// @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
|
||||
if ((tag === 'option' || tag === 'optgroup') && html.match(/<\/?select/i)) {
|
||||
html = '';
|
||||
}
|
||||
|
||||
// Retain jQuery 3.2's conversion of pseudo-XHTML, but for only the
|
||||
// tags in the `selfClosingTagsToReplace` list defined above.
|
||||
// @see https://github.com/jquery/jquery/blob/3.2.1/dist/jquery.js#L5822
|
||||
// @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
|
||||
html = html.replace(rxhtmlTagWithoutSpaceOrAttributes, "<$1></$1>");
|
||||
html = html.replace(rxhtmlTagWithSpaceAndMaybeAttributes, "<$1$2></$1>");
|
||||
|
||||
return html;
|
||||
}
|
||||
});
|
||||
|
||||
})(jQuery);
|
||||
|
|
@ -356,9 +356,11 @@ jquery:
|
|||
gpl-compatible: true
|
||||
js:
|
||||
assets/vendor/jquery/jquery.min.js: { minified: true, weight: -20 }
|
||||
# This includes a security fix, so assign a weight that makes this load as
|
||||
# soon after jquery.min.js is loaded as possible.
|
||||
# These include security fixes, so assign a weight that makes them load as
|
||||
# soon after jquery.min.js is loaded as possible. Their relative order to
|
||||
# each other doesn't matter.
|
||||
assets/vendor/jquery/jquery-extend-3.4.0.js: { weight: -19 }
|
||||
assets/vendor/jquery/jquery-htmlprefilter-3.5.0.js: { weight: -19 }
|
||||
|
||||
jquery.cookie:
|
||||
remote: https://github.com/carhartl/jquery-cookie
|
||||
|
|
|
|||
|
|
@ -97,6 +97,13 @@ function system_post_update_fix_jquery_extend() {
|
|||
// Empty post-update hook.
|
||||
}
|
||||
|
||||
/**
|
||||
* Clear the library cache and ensure aggregate files are regenerated.
|
||||
*/
|
||||
function system_post_update_fix_jquery_htmlprefilter() {
|
||||
// Empty post-update hook.
|
||||
}
|
||||
|
||||
/**
|
||||
* Change plugin IDs of actions.
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in New Issue