From a8e11fe37d2403da700af590d783d08df6803a8d Mon Sep 17 00:00:00 2001 From: Norbert Nemeth Date: Thu, 14 Jan 2021 12:49:01 +0100 Subject: [PATCH 1/4] LPS-125854 Fix XSS validating context and encoding HTML --- .../resources/META-INF/resources/jquery/form.js | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js index bb6c3dd3ab38f8..67ee75aaece0bc 100644 --- a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js +++ b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js @@ -243,6 +243,11 @@ var oldSuccess = options.success || function () {}; callbacks.push(function (data) { var fn = options.replaceTarget ? 'replaceWith' : 'html'; + + // Validate `data` through `HTML encoding` when passed `data` is passed + // to `html()`, as suggested in https://github.com/jquery-form/form/issues/464 + fn == 'html' ? data = $.parseHTML($("
").text(data).html()) : ''; + $(options.target)[fn](data).each(oldSuccess, arguments); }); } @@ -1076,8 +1081,12 @@ var parseJSON = $.parseJSON || function (s) { - /*jslint evil:true */ - return window['eval']('(' + s + ')'); + + // Arise an error resolvable including jquery instead of + // making a new function using unsanitized inputs + + window.console.error('jquery.parseJSON is undefined'); + return null; }; var httpData = function (xhr, type, s) { From b3ae0f1b9565def0def065a5c3301291c948964b Mon Sep 17 00:00:00 2001 From: Norbert Nemeth Date: Fri, 15 Jan 2021 09:35:34 +0100 Subject: [PATCH 2/4] LPS-125854 update file version --- .../src/main/resources/META-INF/resources/jquery/form.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js index 67ee75aaece0bc..9d9844c52fa63d 100644 --- a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js +++ b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js @@ -16,7 +16,7 @@ /*! * jQuery Form Plugin - * version: 3.51.0-2014.06.20 + * version: 3.51.0.LIFERAY-PATCHED-ISSUE-586 * Requires jQuery v1.5 or later * Copyright (c) 2014 M. Alsup * Examples and documentation at: http://malsup.com/jquery/form/ From f871c14f648cba1ece6902afaaf731dc4e7facd4 Mon Sep 17 00:00:00 2001 From: Norbert Nemeth Date: Fri, 15 Jan 2021 10:33:41 +0100 Subject: [PATCH 3/4] LPS-125854 SF --- .../main/resources/META-INF/resources/jquery/form.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js index 9d9844c52fa63d..823d3aa40915bb 100644 --- a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js +++ b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js @@ -244,9 +244,12 @@ callbacks.push(function (data) { var fn = options.replaceTarget ? 'replaceWith' : 'html'; - // Validate `data` through `HTML encoding` when passed `data` is passed - // to `html()`, as suggested in https://github.com/jquery-form/form/issues/464 - fn == 'html' ? data = $.parseHTML($("
").text(data).html()) : ''; + // Validate `data` through `HTML encoding` when passed `data` is passed + // to `html()`, as suggested in https://github.com/jquery-form/form/issues/464 + + fn == 'html' + ? (data = $.parseHTML($('
').text(data).html())) + : ''; $(options.target)[fn](data).each(oldSuccess, arguments); }); @@ -1082,7 +1085,7 @@ $.parseJSON || function (s) { - // Arise an error resolvable including jquery instead of + // Arise an error resolvable including jquery instead of // making a new function using unsanitized inputs window.console.error('jquery.parseJSON is undefined'); From e144224c2ff63145dc2a6ed2607c1fdb7dbe1a56 Mon Sep 17 00:00:00 2001 From: Norbert Nemeth Date: Wed, 20 Jan 2021 12:39:55 +0100 Subject: [PATCH 4/4] LPS-125854 refactor for readability --- .../main/resources/META-INF/resources/jquery/form.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js index 823d3aa40915bb..75105872286038 100644 --- a/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js +++ b/modules/apps/frontend-js/frontend-js-jquery-web/src/main/resources/META-INF/resources/jquery/form.js @@ -247,9 +247,9 @@ // Validate `data` through `HTML encoding` when passed `data` is passed // to `html()`, as suggested in https://github.com/jquery-form/form/issues/464 - fn == 'html' - ? (data = $.parseHTML($('
').text(data).html())) - : ''; + data = options.replaceTarget + ? data + : $.parseHTML($('
').text(data).html()); $(options.target)[fn](data).each(oldSuccess, arguments); }); @@ -1085,10 +1085,10 @@ $.parseJSON || function (s) { - // Arise an error resolvable including jquery instead of - // making a new function using unsanitized inputs + // Throw an error instead of making a new function using unsanitized inputs to avoid XSS attacks window.console.error('jquery.parseJSON is undefined'); + return null; };