From 880ea169bdef99878d3f6681a80b3ca7571a5e13 Mon Sep 17 00:00:00 2001 From: Greg Hurrell Date: Mon, 8 Feb 2021 12:53:29 +0100 Subject: [PATCH 1/2] fix(jquery-form): avoid XSS Applies the suggested fix that is sitting in an unmerged PR on the upstream repo: https://github.com/jquery-form/form/pull/586 --- third-party/projects/jquery-form/jquery.form.js | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/third-party/projects/jquery-form/jquery.form.js b/third-party/projects/jquery-form/jquery.form.js index 591ad6f1fe..d1a9ecf1c1 100644 --- a/third-party/projects/jquery-form/jquery.form.js +++ b/third-party/projects/jquery-form/jquery.form.js @@ -190,6 +190,15 @@ $.fn.ajaxSubmit = function(options) { var oldSuccess = options.success || function(){}; callbacks.push(function(data) { var fn = options.replaceTarget ? 'replaceWith' : 'html'; + + // Validate `data` through `HTML encoding` when passed + // `data` is passed to `html()`, as suggested in + // https://github.com/jquery-form/form/issues/464 + + data = options.replaceTarget + ? data + : $.parseHTML($('
').text(data).html()); + $(options.target)[fn](data).each(oldSuccess, arguments); }); } @@ -801,8 +810,12 @@ $.fn.ajaxSubmit = function(options) { return (doc && doc.documentElement && doc.documentElement.nodeName != 'parsererror') ? doc : null; }; var parseJSON = $.parseJSON || function(s) { - /*jslint evil:true */ - return window['eval']('(' + s + ')'); + // Throw an error instead of making a new function using + // unsanitized inputs to avoid XSS attacks. + + window.console.error('jquery.parseJSON is undefined'); + + return null; }; var httpData = function( xhr, type, s ) { // mostly lifted from jq1.4.4 From a4dd6b1c2a1dcf45d8ab09cf28d3fdf4d1f8a8af Mon Sep 17 00:00:00 2001 From: Greg Hurrell Date: Mon, 8 Feb 2021 12:55:47 +0100 Subject: [PATCH 2/2] chore(jquery-form): disable AMD loading for compatibility with DXP In our previous fork of this module, we have an `if (false)` condition to prevent the module from calling `define`: https://github.com/liferay/liferay-portal/blob/19d993d6e3c0dd6865924bf23f75992f52fc355e/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js#L33 That's pretty ugly, and just stripping out the conditional is a still a pretty minimal edit, so let's go with that instead. Note that if you look at the DXP version, we wrap the entire function in a wrapper that just passes in `window.$` as `jQuery`, but that changes the indentation level of the entire file, so to make a minimal edit here we don't do that. After this change, we're basically identical to what is in DXP (compared that by source-formatting the file, overwriting it with the DXP copy, and inspecting the changes with `git diff -w`). --- third-party/projects/jquery-form/jquery.form.js | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/third-party/projects/jquery-form/jquery.form.js b/third-party/projects/jquery-form/jquery.form.js index d1a9ecf1c1..5daacca003 100644 --- a/third-party/projects/jquery-form/jquery.form.js +++ b/third-party/projects/jquery-form/jquery.form.js @@ -10,16 +10,9 @@ */ /*global ActiveXObject */ -// AMD support (function (factory) { "use strict"; - if (typeof define === 'function' && define.amd) { - // using AMD; register as anon module - define(['jquery'], factory); - } else { - // no AMD; invoke directly - factory( (typeof(jQuery) != 'undefined') ? jQuery : window.Zepto ); - } + factory(window.$ || window.Zepto); } (function($) {