From 0c29b4b5161d6e8efdfa5acd7e9271e796f47047 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Thu, 28 May 2020 16:00:57 +1000
Subject: [PATCH] Patch jQuery for CVE-2020-11022 and CVE-2020-11023

---
 js/Common.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/js/Common.js b/js/Common.js
index 88acc9ef4d..a784a474ab 100644
--- a/js/Common.js
+++ b/js/Common.js
@@ -1698,4 +1698,9 @@ if (!CRM.vars) CRM.vars = {};
     }
   });
 
+  // CVE-2020-11022 and CVE-2020-11023  Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
+  $.htmlPrefilter = function(html) {
+    return html;
+  };
+
 })(jQuery, _);
-- 
2.25.1