Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency jquery to v3.5.0 [SECURITY] #1062

Merged
merged 7 commits into from
May 6, 2020
Merged

Update dependency jquery to v3.5.0 [SECURITY] #1062

merged 7 commits into from
May 6, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 30, 2020
edited
Loading

This PR contains the following updates:

Package Type Update Change
jquery (source) dependencies minor 3.4.1 -> 3.5.0

GitHub Vulnerability Alerts

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Release Notes

jquery/jquery

v3.5.0

Compare Source

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 232bcd1 to 2678d62 Compare April 30, 2020 06:11
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 2678d62 to 21856a7 Compare April 30, 2020 09:18
@renovate
Copy link
Contributor Author

renovate bot commented May 1, 2020

PR has been edited

👷 This PR has received other commits, so Renovate will stop updating it to avoid conflicts or other problems. If you wish to abandon your changes and have Renovate start over you may click the "rebase" checkbox in the PR body/description.

@squidsoup
Copy link
Contributor

squidsoup commented May 1, 2020
edited
Loading

QA

Please QA this thoroughly (ensure this hasn't broken any views in the angular app).

I've audited the code for problematic self closing tags, and could only find one.

squidsoup
squidsoup reviewed May 1, 2020
View reviewed changes
legacy/src/app/partials/directives/release-options.html
@@ -1,5 +1,5 @@
<div ng-if="loading">
<i class="p-icon--spinner u-animation--spin" />
<i class="p-icon--spinner u-animation--spin"></i>
&nbsp;Loading...
Copy link
Contributor

@squidsoup squidsoup May 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grepping the code, this was the only remaining instance of a potentially problematic self closing tag I could find, other than inputs, hrs and brs, but perhaps have a quick grep when QAing this to ensure I haven't missed anything.

@squidsoup squidsoup added the Backport 2.7 ◀️ Backport fix to 2.7 label May 1, 2020
@squidsoup squidsoup mentioned this pull request May 1, 2020
Closed
@squidsoup
Copy link
Contributor

I've added a card to make sure we don't forget to backport this.

@squidsoup squidsoup self-assigned this May 1, 2020
@squidsoup squidsoup merged commit 6ec3bed into master May 6, 2020
@squidsoup squidsoup deleted the renovate/npm-jquery-vulnerability branch May 6, 2020 02:49
Caleb-Ellis pushed a commit to Caleb-Ellis/maas-ui that referenced this pull request May 6, 2020
@renovate
Update dependency jquery to v3.5.0 [SECURITY] (canonical#1062)
f03d83b 
* Update dependency jquery to v3.5.0 [SECURITY]
* Fix self closing i tag.
@Caleb-Ellis Caleb-Ellis mentioned this pull request May 6, 2020
Merged
Caleb-Ellis pushed a commit that referenced this pull request May 7, 2020
@renovate @Caleb-Ellis
Update dependency jquery to v3.5.0 [SECURITY] (#1062)
490078b 
* Update dependency jquery to v3.5.0 [SECURITY]
* Fix self closing i tag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squidsoup squidsoup squidsoup left review comments

@huwshimi huwshimi huwshimi approved these changes

Assignees

@squidsoup squidsoup

Labels
Backport 2.7 ◀️ Backport fix to 2.7 Maintenance 🔨 Review: Code +1 Review: QA +1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@squidsoup @huwshimi @renovate-bot