Patch jQuery for CVE-2020-11022 and CVE-2020-11023

author Seamus Lee <seamuslee001@gmail.com>

Thu, 28 May 2020 06:00:57 +0000 (16:00 +1000)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)
author Seamus Lee <seamuslee001@gmail.com>
Thu, 28 May 2020 06:00:57 +0000 (16:00 +1000)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)
diff --git a/js/Common.js b/js/Common.js

index 88acc9ef4d4055e3916a1692940045f5f7a3dd75..a784a474ababe9c1b0cdbef5133f1e51e9baca5b 100644 (file)
--- a/js/Common.js
+++ b/js/Common.js
@@ -1698,4 +1698,9 @@ if (!CRM.vars) CRM.vars = {};
      }
    });
  
+  // CVE-2020-11022 and CVE-2020-11023  Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
+  $.htmlPrefilter = function(html) {
+    return html;
+  };
+
  })(jQuery, _);
author	Seamus Lee <seamuslee001@gmail.com>
	Thu, 28 May 2020 06:00:57 +0000 (16:00 +1000)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 19 Aug 2020 06:16:45 +0000 (16:16 +1000)