✨ jQuery v1.12.5-sec

Author: ctcpip

README.md

@@ -6,17 +6,17 @@ This repository contains unofficial end-of-life jQuery releases with vulnerabili
 
 In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
 
-| Status | jQuery version | jQuery-sec version | Branch      | PR             | Release | CVEs Patched                                                                                                                                    |
-| ------ | -------------- | ------------------ | ----------- | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| ✅     | `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec] | [PR][1.2.7-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| ✅     | `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec] | [PR][1.3.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| ✅     | `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec] | [PR][1.4.5-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
-| ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec] | [PR][1.5.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
-| ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec] | [PR][1.7.3-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| ✅     | `1.8.3`        | `1.8.4-sec`        | [1.8.4-sec] | [PR][1.8.4-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| 🚧     | `1.12.4`       | `1.12.5-sec`       |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
-| 🚧     | `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
+| Status | jQuery version | jQuery-sec version | Branch       | PR              | Release | CVEs Patched                                                                                                                                    |
+| ------ | -------------- | ------------------ | ------------ | --------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| ✅     | `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec]  | [PR][1.2.7-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| ✅     | `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec]  | [PR][1.3.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| ✅     | `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec]  | [PR][1.4.5-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec]  | [PR][1.5.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec]  | [PR][1.6.5-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec]  | [PR][1.7.3-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.8.3`        | `1.8.4-sec`        | [1.8.4-sec]  | [PR][1.8.4-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.12.4`       | `1.12.5-sec`       | [1.12.5-sec] | [PR][1.12.5-pr] |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
+| 🚧     | `2.2.4`        | `2.2.5-sec`        |              |                 |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
 
 > [!IMPORTANT]
 > \*CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
@@ -72,6 +72,8 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 [1.7.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/7
 [1.8.4-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.8.4-sec
 [1.8.4-pr]: https://github.com/ctcpip/jquery-security-patches/pull/8
+[1.12.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.12.5-sec
+[1.12.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/9
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

security/README.md

@@ -10,7 +10,7 @@
 - [Make](https://en.wikipedia.org/wiki/Make_(software))
 - Node.js
   - Node v20, the current LTS version at the time of this writing is the version used, although you may be successful with other versions
-- For older jQuery versions (1.2.6 through 1.5.2<!-- update as needed -->), you'll need to install php 5.6
+- For older jQuery versions (1.2.6 through 1.12.4<!-- update as needed -->), you'll need to install php 5.6
   - For Macs, We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
 
 ## Testing
@@ -111,6 +111,34 @@
     - `php -S 127.0.0.1:8000 -t test`
 - Open `127.0.0.1:8000/tests/index.html` in your browser
 
+#### 1.12.4 / 1.12.5-sec
+
+For prior versions, we were able to get away with the built-in php dev server.
+We were not so successful with 1.12.4, so you'll need to have (or install) a proper server.
+The path of least resistance is to use `nginx`.
+You should already have installed PHP -- if not, see [prerequisites](#prerequisites).
+
+- Checkout the `1.12.4` or `1.12.5-sec` branch
+- From the root folder of the repo:
+  - `brew install nginx`
+  - `npm i -g grunt-cli`
+  - Add the following `overrides` object to `package.json`:
+    -`"overrides": { "graceful-fs": "^4.2.11" }`
+  - Run `grunt`
+  - If you get an error  about `os.tmpDir()` in `node_modules/npm/node_modules/osenv/osenv.js` then:
+    - Modify that file to call `os.tmpdir()` instead of `os.tmpDir()`
+  - `grunt` should work now
+  - A pre-configured `nginx` configuration file (`nginx.conf`) is in the root of the repo
+    - Modify the first two paths near the top of the file to suit your filesystem
+  - In a separate terminal window, run `nginx`, replacing the paths to suit your filesystem:
+    - `/path/to/nginx/bin/nginx -c /path/to/jquery/repo/nginx.conf -g daemon\ off\;`
+  - `cd test`
+  - `brew services start php@5.6`
+- Open `127.0.0.1/tests/index.html` in your browser
+- When you are finished:
+  - `CTRL+C` in the terminal where you are running `nginx`
+  - `brew services stop php@5.6`
+
 ### A/B end-to-end acceptance tests
 
 Tests run on every push in CI via [GitHub workflow](https://github.com/ctcpip/jquery-security-patches/actions/workflows/security-test.yml)
@@ -192,3 +220,16 @@ You can run the A/B tests locally in CI mode or manually in the browser
     - Modify both files to `require('fs')` and change `path.existsSync()` to `fs.existsSync()`
   - Run `grunt`
     - This will output `./dist/jquery.js`
+
+#### 1.12.4 / 1.12.5-sec
+
+- Checkout the `1.12.4` or `1.12.5-sec` branch
+- From the root folder of the repo:
+  - `npm i -g grunt-cli`
+  - Add the following `overrides` object to `package.json`:
+    -`"overrides": { "graceful-fs": "^4.2.11" }`
+  - Run `grunt`
+  - If you get an error  about `os.tmpDir()` in `node_modules/npm/node_modules/osenv/osenv.js` then:
+    - Modify that file to call `os.tmpdir()` instead of `os.tmpDir()`
+  - `grunt` should work now
+    - This will output `./dist/jquery.js`

security/site/vendor/jquery-1.12.5-sec.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v1.12.4
+ * jQuery JavaScript Library v1.12.5-sec
  * http://jquery.com/
  *
  * Includes Sizzle.js
@@ -9,7 +9,7 @@
  * Released under the MIT license
  * http://jquery.org/license
  *
- * Date: 2016-05-20T17:17Z
+ * Date: 2024-02-18T08:52Z
  */
 
 (function( global, factory ) {
@@ -209,8 +209,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
@@ -2859,9 +2860,10 @@ jQuery.fn.extend( {
 var rootjQuery,
 
 	// A simple way to check for HTML strings
-	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	// Strict HTML recognition (#11290: must start with <)
-	rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,
+	// Prioritize #id over <tag> to avoid XSS via location.hash (trac-9521)
+	// Strict HTML recognition (trac-11290: must start with <)
+	// Shortcut simple #id case for speed
+	rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]+))$/,
 
 	init = jQuery.fn.init = function( selector, context, root ) {
 		var match, elem;
@@ -4522,7 +4524,6 @@ function createSafeFragment( document ) {
 
 // We have to close these tags to support XHTML (#13200)
 var wrapMap = {
-	option: [ 1, "<select multiple='multiple'>", "</select>" ],
 	legend: [ 1, "<fieldset>", "</fieldset>" ],
 	area: [ 1, "<map>", "</map>" ],
 
@@ -4538,9 +4539,6 @@ var wrapMap = {
 	_default: support.htmlSerialize ? [ 0, "", "" ] : [ 1, "X<div>", "</div>" ]
 };
 
-// Support: IE8-IE9
-wrapMap.optgroup = wrapMap.option;
-
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
@@ -5871,7 +5869,6 @@ jQuery.fn.extend( {
 
 var rinlinejQuery = / jQuery\d+="(?:null|\d+)"/g,
 	rnoshimcache = new RegExp( "<(?:" + nodeNames + ")[\\s/>]", "i" ),
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,
 
 	// Support: IE 10-11, Edge 10240+
 	// In IE/Edge using regex groups here causes severe slowdowns.
@@ -6127,7 +6124,7 @@ function remove( elem, selector, keepData ) {
 
 jQuery.extend( {
 	htmlPrefilter: function( html ) {
-		return html.replace( rxhtmlTag, "<$1></$2>" );
+		return html;
 	},
 
 	clone: function( elem, dataAndEvents, deepDataAndEvents ) {
@@ -10358,6 +10355,13 @@ function createActiveXHR() {
 
 
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup( {
 	accepts: {

security/test/test.mjs

@@ -14,6 +14,7 @@ const patchedVersions = [
 	'1.6.5-sec',
 	'1.7.3-sec',
 	'1.8.4-sec',
+	'1.12.5-sec',
 ];
 
 function banner(txt, {borderColor = 'magenta', textColor = 'cyan'} = {borderColor: 'magenta',  textColor: 'cyan'}) {