/** * For jQuery versions less than 3.5.0, this replaces the jQuery.htmlPrefilter() * function with one that fixes these security vulnerabilities while also * retaining the pre-3.5.0 behavior where it's safe to do so. * - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022 * - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023 * * Additionally, for jQuery versions that do not have a jQuery.htmlPrefilter() * function (1.x prior to 1.12 and 2.x prior to 2.2), this adds it, and * extends the functions that need to call it to do so. * * Drupal core's jQuery version is 1.4.4, but jQuery Update can provide a * different version, so this covers all versions between 1.4.4 and 3.4.1. * The GitHub links in the code comments below link to jQuery 1.5 code, because * 1.4.4 isn't on GitHub, but the referenced code didn't change from 1.4.4 to * 1.5. */ (function (jQuery) { // Parts of this backport differ by jQuery version. var versionParts = jQuery.fn.jquery.split('.'); var majorVersion = parseInt(versionParts[0]); var minorVersion = parseInt(versionParts[1]); // No backport is needed if we're already on jQuery 3.5 or higher. if ( (majorVersion > 3) || (majorVersion === 3 && minorVersion >= 5) ) { return; } // Prior to jQuery 3.5, jQuery converted XHTML-style self-closing tags to // their XML equivalent: e.g., "
" to "". This is // problematic for several reasons, including that it's vulnerable to XSS // attacks. However, since this was jQuery's behavior for many years, many // Drupal modules and jQuery plugins may be relying on it. Therefore, we // preserve that behavior, but for a limited set of tags only, that we believe // to not be vulnerable. This is the set of HTML tags that satisfy all of the // following conditions: // - In DOMPurify's list of HTML tags. If an HTML tag isn't safe enough to // appear in that list, then we don't want to mess with it here either. // @see https://github.com/cure53/DOMPurify/blob/2.0.11/dist/purify.js#L128 // - A normal element (not a void, template, text, or foreign element). // @see https://html.spec.whatwg.org/multipage/syntax.html#elements-2 // - An element that is still defined by the current HTML specification // (not a deprecated element), because we do not want to rely on how // browsers parse deprecated elements. // @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element // - Not 'html', 'head', or 'body', because this pseudo-XHTML expansion is // designed for fragments, not entire documents. // - Not 'colgroup', because due to an idiosyncrasy of jQuery's original // regular expression, it didn't match on colgroup, and we don't want to // introduce a behavior change for that. var selfClosingTagsToReplace = [ 'a', 'abbr', 'address', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'blockquote', 'button', 'canvas', 'caption', 'cite', 'code', 'data', 'datalist', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em', 'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hgroup', 'i', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span', 'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'time', 'tr', 'u', 'ul', 'var', 'video' ]; // Define regular expressions for