Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patches for CVE-2020-11022 and CVE-2020-11023 #281

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions vendor/assets/javascripts/jquery.js
Original file line number Diff line number Diff line change
Expand Up @@ -209,8 +209,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down Expand Up @@ -4492,6 +4493,12 @@ function createSafeFragment( document ) {
div.innerHTML = "<textarea>x</textarea>";
support.noCloneChecked = !!div.cloneNode( true ).lastChild.defaultValue;

// Support: IE <=9 only
// IE <=9 replaces <option> tags with their contents when inserted outside of
// the select element.
div.innerHTML = "<option></option>";
support.option = !!div.lastChild;

// #11217 - WebKit loses check when the name is after the checked attribute
fragment.appendChild( div );

Expand Down Expand Up @@ -4522,7 +4529,6 @@ function createSafeFragment( document ) {

// We have to close these tags to support XHTML (#13200)
var wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
area: [ 1, "<map>", "</map>" ],

Expand All @@ -4538,12 +4544,14 @@ var wrapMap = {
_default: support.htmlSerialize ? [ 0, "", "" ] : [ 1, "X<div>", "</div>" ]
};

// Support: IE8-IE9
wrapMap.optgroup = wrapMap.option;

wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

// Support: IE <=9 only
if ( !support.option ) {
wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
}


function getAll( context, tag ) {
var elems, elem,
Expand Down Expand Up @@ -5871,7 +5879,6 @@ jQuery.fn.extend( {

var rinlinejQuery = / jQuery\d+="(?:null|\d+)"/g,
rnoshimcache = new RegExp( "<(?:" + nodeNames + ")[\\s/>]", "i" ),
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,

// Support: IE 10-11, Edge 10240+
// In IE/Edge using regex groups here causes severe slowdowns.
Expand Down Expand Up @@ -6127,7 +6134,7 @@ function remove( elem, selector, keepData ) {

jQuery.extend( {
htmlPrefilter: function( html ) {
return html.replace( rxhtmlTag, "<$1></$2>" );
return html;
},

clone: function( elem, dataAndEvents, deepDataAndEvents ) {
Expand Down
8 changes: 4 additions & 4 deletions vendor/assets/javascripts/jquery.min.js

Large diffs are not rendered by default.

23 changes: 14 additions & 9 deletions vendor/assets/javascripts/jquery2.js
Original file line number Diff line number Diff line change
Expand Up @@ -209,8 +209,9 @@ jQuery.extend = jQuery.fn.extend = function() {
src = target[ name ];
copy = options[ name ];

// Prevent Object.prototype pollution
// Prevent never-ending loop
if ( target === copy ) {
if ( name === "__proto__" || target === copy ) {
continue;
}

Expand Down Expand Up @@ -4252,9 +4253,6 @@ var rscriptType = ( /^$|\/(?:java|ecma)script/i );
// We have to close these tags to support XHTML (#13200)
var wrapMap = {

// Support: IE9
option: [ 1, "<select multiple='multiple'>", "</select>" ],

// XHTML parsers do not magically insert elements in the
// same way that tag soup parsers do. So we cannot shorten
// this by omitting <tbody> or other required elements.
Expand All @@ -4266,12 +4264,14 @@ var wrapMap = {
_default: [ 0, "", "" ]
};

// Support: IE9
wrapMap.optgroup = wrapMap.option;

wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;

// Support: IE <=9 only
if ( !support.option ) {
wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
}


function getAll( context, tag ) {

Expand Down Expand Up @@ -4419,6 +4419,12 @@ function buildFragment( elems, context, scripts, selection, ignored ) {
// Make sure textarea (and checkbox) defaultValue is properly cloned
div.innerHTML = "<textarea>x</textarea>";
support.noCloneChecked = !!div.cloneNode( true ).lastChild.defaultValue;

// Support: IE <=9 only
// IE <=9 replaces <option> tags with their contents when inserted outside of
// the select element.
div.innerHTML = "<option></option>";
support.option = !!div.lastChild;
} )();


Expand Down Expand Up @@ -5122,7 +5128,6 @@ jQuery.fn.extend( {


var
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,

// Support: IE 10-11, Edge 10240+
// In IE/Edge using regex groups here causes severe slowdowns.
Expand Down Expand Up @@ -5322,7 +5327,7 @@ function remove( elem, selector, keepData ) {

jQuery.extend( {
htmlPrefilter: function( html ) {
return html.replace( rxhtmlTag, "<$1></$2>" );
return html;
},

clone: function( elem, dataAndEvents, deepDataAndEvents ) {
Expand Down
6 changes: 3 additions & 3 deletions vendor/assets/javascripts/jquery2.min.js

Large diffs are not rendered by default.