}
var submitcount = 0;
-/**
- * Old submit-once function. Will be removed soon.
- * @deprecated
- */
-function submitOnce(obj, formId, procText) {
- // if named button clicked, change text
- if (obj.value != null) {
- cj('input[name=' + obj.name + ']').val(procText + " ...");
- }
- cj(obj).closest('form').attr('data-warn-changes', 'false');
- if (document.getElementById) { // disable submit button for newer browsers
- cj('input[name=' + obj.name + ']').attr("disabled", true);
- document.getElementById(formId).submit();
- return true;
- }
- else { // for older browsers
- if (submitcount == 0) {
- submitcount++;
- return true;
- }
- else {
- alert("Your request is currently being processed ... Please wait.");
- return false;
- }
- }
-}
/**
* Function to show / hide the row in optionFields
$.propHooks.disabled = {
set: function (el, value, name) {
// Sync button enabled status with wrapper css
- if ($(el).is('span.crm-button > input.crm-form-submit')) {
+ if ($(el).is('.crm-button.crm-form-submit')) {
$(el).parent().toggleClass('crm-button-disabled', !!value);
}
// Sync button enabled status with dialog button
return rendered;
};
+ CRM.utils.getOptions = function(select) {
+ var options = [];
+ $('option', select).each(function() {
+ var option = {key: $(this).attr('value'), value: $(this).text()};
+ if (option.key !== '') {
+ options.push(option);
+ }
+ });
+ return options;
+ };
+
function chainSelect() {
var $form = $(this).closest('form'),
$target = $('select[data-name="' + $(this).data('target') + '"]', $form),
$('form[data-submit-once]', e.target)
.submit(submitOnceForm)
.on('invalid-form', submitFormInvalid);
- $('form[data-submit-once] input[type=submit]', e.target).click(function(e) {
+ $('form[data-submit-once] button[type=submit]', e.target).click(function(e) {
submitButton = e.target;
});
})
// CVE-2020-11022 and CVE-2020-11023 Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
$.htmlPrefilter = function(html) {
+ // Prior to jQuery 3.5, jQuery converted XHTML-style self-closing tags to
+ // their XML equivalent: e.g., "<div />" to "<div></div>". This is
+ // problematic for several reasons, including that it's vulnerable to XSS
+ // attacks. However, since this was jQuery's behavior for many years, many
+ // Drupal modules and jQuery plugins may be relying on it. Therefore, we
+ // preserve that behavior, but for a limited set of tags only, that we believe
+ // to not be vulnerable. This is the set of HTML tags that satisfy all of the
+ // following conditions:
+ // - In DOMPurify's list of HTML tags. If an HTML tag isn't safe enough to
+ // appear in that list, then we don't want to mess with it here either.
+ // @see https://github.com/cure53/DOMPurify/blob/2.0.11/dist/purify.js#L128
+ // - A normal element (not a void, template, text, or foreign element).
+ // @see https://html.spec.whatwg.org/multipage/syntax.html#elements-2
+ // - An element that is still defined by the current HTML specification
+ // (not a deprecated element), because we do not want to rely on how
+ // browsers parse deprecated elements.
+ // @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element
+ // - Not 'html', 'head', or 'body', because this pseudo-XHTML expansion is
+ // designed for fragments, not entire documents.
+ // - Not 'colgroup', because due to an idiosyncrasy of jQuery's original
+ // regular expression, it didn't match on colgroup, and we don't want to
+ // introduce a behavior change for that.
+ var selfClosingTagsToReplace = [
+ 'a', 'abbr', 'address', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo',
+ 'blockquote', 'button', 'canvas', 'caption', 'cite', 'code', 'data',
+ 'datalist', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em',
+ 'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3',
+ 'h4', 'h5', 'h6', 'header', 'hgroup', 'i', 'ins', 'kbd', 'label', 'legend',
+ 'li', 'main', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup',
+ 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt',
+ 'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span',
+ 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th',
+ 'thead', 'time', 'tr', 'u', 'ul', 'var', 'video'
+ ];
+
+ // Define regular expressions for <TAG/> and <TAG ATTRIBUTES/>. Doing this as
+ // two expressions makes it easier to target <a/> without also targeting
+ // every tag that starts with "a".
+ var xhtmlRegExpGroup = '(' + selfClosingTagsToReplace.join('|') + ')';
+ var whitespace = '[\\x20\\t\\r\\n\\f]';
+ var rxhtmlTagWithoutSpaceOrAttributes = new RegExp('<' + xhtmlRegExpGroup + '\\/>', 'gi');
+ var rxhtmlTagWithSpaceAndMaybeAttributes = new RegExp('<' + xhtmlRegExpGroup + '(' + whitespace + '[^>]*)\\/>', 'gi');
+
+ // jQuery 3.5 also fixed a vulnerability for when </select> appears within
+ // an <option> or <optgroup>, but it did that in local code that we can't
+ // backport directly. Instead, we filter such cases out. To do so, we need to
+ // determine when jQuery would otherwise invoke the vulnerable code, which it
+ // uses this regular expression to determine. The regular expression changed
+ // for version 3.0.0 and changed again for 3.4.0.
+ // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4958
+ // @see https://github.com/jquery/jquery/blob/3.0.0/dist/jquery.js#L4584
+ // @see https://github.com/jquery/jquery/blob/3.4.0/dist/jquery.js#L4712
+ var rtagName = /<([\w:]+)/;
+
+ // The regular expression that jQuery uses to determine which self-closing
+ // tags to expand to open and close tags. This is vulnerable, because it
+ // matches all tag names except the few excluded ones. We only use this
+ // expression for determining vulnerability. The expression changed for
+ // version 3, but we only need to check for vulnerability in versions 1 and 2,
+ // so we use the expression from those versions.
+ // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4957
+ var rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi;
+
// This is how jQuery determines the first tag in the HTML.
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5521
var tag = ( rtagName.exec( html ) || [ "", "" ] )[ 1 ].toLowerCase();
projects / civicrm-core.git / blobdiff