From: Seamus Lee <seamuslee001@gmail.com>
Date: Thu, 28 May 2020 06:00:57 +0000 (+1000)
Subject: Patch jQuery for CVE-2020-11022 and CVE-2020-11023
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=0c29b4b5161d6e8efdfa5acd7e9271e796f47047;p=civicrm-core.git

Patch jQuery for CVE-2020-11022 and CVE-2020-11023
---

diff --git a/js/Common.js b/js/Common.js
index 88acc9ef4d..a784a474ab 100644
--- a/js/Common.js
+++ b/js/Common.js
@@ -1698,4 +1698,9 @@ if (!CRM.vars) CRM.vars = {};
     }
   });
 
+  // CVE-2020-11022 and CVE-2020-11023  Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
+  $.htmlPrefilter = function(html) {
+    return html;
+  };
+
 })(jQuery, _);