✨ jQuery v1.7.3-sec

Author: ctcpip

README.md

@@ -13,7 +13,7 @@ In a perfect world, at least every MAJOR EOL jQuery release line would have a se
 | ✅     | `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec] | [PR][1.4.5-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
 | ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec] | [PR][1.5.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
 | ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| 🚧     | `1.7.2`        | `1.7.3-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec] | [PR][1.7.3-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
 | 🚧     | `1.8.3`        | `1.8.4-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
 | 🚧     | `1.12.4`       | `1.12.5-sec`       |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
 | 🚧     | `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
@@ -68,6 +68,8 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 [1.5.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/6
 [1.6.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.6.5-sec
 [1.6.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/1
+[1.7.3-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.7.3-sec
+[1.7.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/7
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

security/README.md

@@ -65,7 +65,13 @@
 #### 1.6.4 / 1.6.5-sec
 
 - Checkout the `1.6.4` or `1.6.5-sec` branch
-- Run php server from the root folder of the repo: `php -S 127.0.0.1:8000`
+- Run php server from the root folder of the repo: `php -S 127.0.0.1:8000 -t test`
+- Open `127.0.0.1:8000/tests/index.html` in your browser
+
+#### 1.7.2 / 1.7.3-sec
+
+- Checkout the `1.7.2` or `1.7.3-sec` branch
+- Run php server from the root folder of the repo: `php -S 127.0.0.1:8000 -t test`
 - Open `127.0.0.1:8000/tests/index.html` in your browser
 
 ### A/B end-to-end acceptance tests
@@ -136,3 +142,10 @@ You can run the A/B tests locally in CI mode or manually in the browser
 - From the root folder of the repo:
   - Run `make`
     - This will output `./dist/jquery.js`
+
+#### 1.7.2 / 1.7.3-sec
+
+- Checkout the `1.7.2` or `1.7.3-sec` branch
+- From the root folder of the repo:
+  - Run `make`
+    - This will output `./dist/jquery.js`

security/site/vendor/jquery-1.7.3-sec.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v1.7.2
+ * jQuery JavaScript Library v1.7.3-sec
  * http://jquery.com/
  *
  * Copyright 2011, John Resig
@@ -11,7 +11,7 @@
  * Copyright 2011, The Dojo Foundation
  * Released under the MIT, BSD, and GPL Licenses.
  *
- * Date: Wed Mar 21 12:46:34 2012 -0700
+ * Date: Fri Feb 16 00:55:01 2024 -0600
  */
 (function( window, undefined ) {
 
@@ -38,7 +38,8 @@ var jQuery = function( selector, context ) {
 
 	// A simple way to check for HTML strings or ID strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Strict HTML recognition (#11290: must start with <)
+	quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
@@ -355,8 +356,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
@@ -3645,7 +3647,7 @@ if ( !jQuery.support.submitBubbles ) {
 			});
 			// return undefined since we don't need an event listener
 		},
-
+		
 		postDispatch: function( event ) {
 			// If form was submitted by the user, bubble the event up the tree
 			if ( event._submit_bubble ) {
@@ -5735,7 +5737,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 		"header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",
 	rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
 	rleadingWhitespace = /^\s+/,
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
 	rtagName = /<([\w:]+)/,
 	rtbody = /<tbody/i,
 	rhtml = /<|&#?\w+;/,
@@ -5747,7 +5748,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 	rscriptType = /\/(java|ecma)script/i,
 	rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
 	wrapMap = {
-		option: [ 1, "<select multiple='multiple'>", "</select>" ],
 		legend: [ 1, "<fieldset>", "</fieldset>" ],
 		thead: [ 1, "<table>", "</table>" ],
 		tr: [ 2, "<table><tbody>", "</tbody></table>" ],
@@ -5758,7 +5758,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 	},
 	safeFragment = createSafeFragment( document );
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
@@ -5936,13 +5935,10 @@ jQuery.fn.extend({
 					null;
 			}
 
-
 			if ( typeof value === "string" && !rnoInnerhtml.test( value ) &&
 				( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) &&
 				!wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) {
 
-				value = value.replace( rxhtmlTag, "<$1></$2>" );
-
 				try {
 					for (; i < l; i++ ) {
 						// Remove element nodes and prevent memory leaks
@@ -6387,8 +6383,6 @@ jQuery.extend({
 				if ( !rhtml.test( elem ) ) {
 					elem = context.createTextNode( elem );
 				} else {
-					// Fix "XHTML"-style tags in all browsers
-					elem = elem.replace(rxhtmlTag, "<$1></$2>");
 
 					// Trim whitespace, otherwise indexOf won't work as expected
 					var tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase(),
@@ -6979,7 +6973,7 @@ var r20 = /%20/g,
 	rnoContent = /^(?:GET|HEAD)$/,
 	rprotocol = /^\/\//,
 	rquery = /\?/,
-	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
 	rselectTextarea = /^(?:select|textarea)/i,
 	rspacesAjax = /\s+/,
 	rts = /([?&])_=[^&]*/,
@@ -8046,6 +8040,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
 
 
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {

security/test/test.mjs

@@ -12,6 +12,7 @@ const patchedVersions = [
 	'1.4.5-sec',
 	'1.5.3-sec',
 	'1.6.5-sec',
+	'1.7.3-sec',
 ];
 
 function banner(txt, {borderColor = 'magenta', textColor = 'cyan'} = {borderColor: 'magenta',  textColor: 'cyan'}) {