[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

jquery / CVE-2020-7656

This appears to be a vulnerability in that the "load()" function will
not correctly filter out javascript from loaded HTML.


As per was supposedly fixed in the following commit:

NOTE: 20200606: This was fixed upstream in a set of wider changes
NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific


The relevant line that has been changed is this one.

Before (if selector set):

  rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,

  .append( responseText.replace( rscript, "" ) )
  .find( selector ) :

Before (if selector not set):

   responseText is used as is.

After (if selector set):

  jQuery("<div>").append( jQuery.parseHTML( responseText ) ).find( selector ) :

After (if selector not set):

   responseText is used as is.

OK, so for the case where selector is set, we now call parseHTML instead
of replacing the text. Presumable this fixes the problem. But this
function not available in the Jessie version.

But even more importantly, it looks like to me that if selector was not
given, we don't do any filtering of JavaScript if a selector is not
provided. Even in the latest version of master.


Does this mean the security bug is not sufficiently fixed? Or do we only
need to filter out javascript if a selector is provided for some reason?

I am also a bit puzzled, I would have expected a function called load()
would load JavaScript, and if you add it to the DOM as per the example,
I would expect it to be executed.

Brian May <brian@linuxpenguins.xyz>

Reply to: