Re: jquery / CVE-2020-7656
"Chris Lamb" <lamby@debian.org> writes:
> Brian,
>
>> Do we only need to filter out javascript if a selector is provided for
>> some reason?
>
> Yes. Javascript development is fun.
Oh, I see it in the docs. I don't know how I missed this before. From
https://api.jquery.com/load/
"When calling .load() using a URL without a suffixed selector expression,
the content is passed to .html() prior to scripts being removed. This
executes the script blocks before they are discarded. If .load() is
called with a selector expression appended to the URL, however, the
scripts are stripped out prior to the DOM being updated, and thus are
not executed. An example of both cases can be seen below:"
Nothing like consistency in APIs :-(
> (As I added in the notes, I do not know how we are meant to cleanly
> fix this issue in jessie's version of jQuery.)
Have you considered the possibility of back porting the parseHTML
function?
At quick glance it looks like it should be do-able, but the imports need
changing.
It looks like the bulk of the work is done by the buildFragment, and the
Jessie package does have this function. But in a different file.
https://github.com/jquery/jquery/blob/d0ce00cdfa680f1f0c38460bc51ea14079ae8b07/src/core/parseHTML.js
--
Brian May <bam@debian.org>
Reply to: