✨ jQuery v2.2.5-sec

Author: ctcpip

README.md

@@ -8,19 +8,22 @@ In a perfect world, at least every MAJOR EOL jQuery release line would have a se
 
 | Status | jQuery version | jQuery-sec version | Branch       | PR              | Release | CVEs Patched                                                                                                                                    |
 | ------ | -------------- | ------------------ | ------------ | --------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| ✅     | `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec]  | [PR][1.2.7-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| ✅     | `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec]  | [PR][1.3.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| ✅     | `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec]  | [PR][1.4.5-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
-| ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec]  | [PR][1.5.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
-| ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec]  | [PR][1.6.5-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec]  | [PR][1.7.3-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| ✅     | `1.8.3`        | `1.8.4-sec`        | [1.8.4-sec]  | [PR][1.8.4-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `2.2.4`        | `2.2.5-sec`        | [2.2.5-sec]  | [PR][2.2.5-pr]  |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
 | ✅     | `1.12.4`       | `1.12.5-sec`       | [1.12.5-sec] | [PR][1.12.5-pr] |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
-| 🚧     | `2.2.4`        | `2.2.5-sec`        |              |                 |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
+| ✅     | `1.8.3`        | `1.8.4-sec`        | [1.8.4-sec]  | [PR][1.8.4-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec]  | [PR][1.7.3-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec]  | [PR][1.6.5-pr]  |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec]  | [PR][1.5.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| ✅     | `1.4.4`        | `1.4.5-sec`        | [1.4.5-sec]  | [PR][1.4.5-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
+| ✅     | `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec]  | [PR][1.3.3-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| ✅     | `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec]  | [PR][1.2.7-pr]  |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>\* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
 
 > [!IMPORTANT]
 > \*CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
 
+> [!IMPORTANT]
+> CVE-2020-23064 is reproducible in all versions, but our understanding is that it is a duplicate of CVE-2020-11023
+
 > [!NOTE]
 > The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
 
@@ -74,6 +77,8 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 [1.8.4-pr]: https://github.com/ctcpip/jquery-security-patches/pull/8
 [1.12.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.12.5-sec
 [1.12.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/9
+[2.2.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/2.2.5-sec
+[2.2.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/10
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

security/README.md

@@ -10,8 +10,11 @@
 - [Make](https://en.wikipedia.org/wiki/Make_(software))
 - Node.js
   - Node v20, the current LTS version at the time of this writing is the version used, although you may be successful with other versions
-- For older jQuery versions (1.2.6 through 1.12.4<!-- update as needed -->), you'll need to install php 5.6
+- You'll need to install php 5.6 -- a newer version of php will probably work as well, but we used 5.6
   - For Macs, We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
+- For versions up to and including 1.8.3 / 1.8.4-sec, we were able to get away with the built-in php dev server. For later versions, you'll need to have (or install) a proper server.
+  - The path of least resistance is to use `nginx`:
+  - `brew install nginx`
 
 ## Testing
 
@@ -113,14 +116,8 @@
 
 #### 1.12.4 / 1.12.5-sec
 
-For prior versions, we were able to get away with the built-in php dev server.
-We were not so successful with 1.12.4, so you'll need to have (or install) a proper server.
-The path of least resistance is to use `nginx`.
-You should already have installed PHP -- if not, see [prerequisites](#prerequisites).
-
 - Checkout the `1.12.4` or `1.12.5-sec` branch
 - From the root folder of the repo:
-  - `brew install nginx`
   - `npm i -g grunt-cli`
   - Add the following `overrides` object to `package.json`:
     -`"overrides": { "graceful-fs": "^4.2.11" }`
@@ -139,6 +136,23 @@ You should already have installed PHP -- if not, see [prerequisites](#prerequisi
   - `CTRL+C` in the terminal where you are running `nginx`
   - `brew services stop php@5.6`
 
+#### 2.2.4 / 2.2.5-sec
+
+- Checkout the `2.2.4` or `2.2.5-sec` branch
+- From the root folder of the repo:
+  - `npm i -g grunt-cli`
+  - Run `grunt`
+  - A pre-configured `nginx` configuration file (`nginx.conf`) is in the root of the repo
+    - Modify the first two paths near the top of the file to suit your filesystem
+  - In a separate terminal window, run `nginx`, replacing the paths to suit your filesystem:
+    - `/path/to/nginx/bin/nginx -c /path/to/jquery/repo/nginx.conf -g daemon\ off\;`
+  - `cd test`
+  - `brew services start php@5.6`
+- Open `127.0.0.1/tests/index.html` in your browser
+- When you are finished:
+  - `CTRL+C` in the terminal where you are running `nginx`
+  - `brew services stop php@5.6`
+
 ### A/B end-to-end acceptance tests
 
 Tests run on every push in CI via [GitHub workflow](https://github.com/ctcpip/jquery-security-patches/actions/workflows/security-test.yml)
@@ -233,3 +247,11 @@ You can run the A/B tests locally in CI mode or manually in the browser
     - Modify that file to call `os.tmpdir()` instead of `os.tmpDir()`
   - `grunt` should work now
     - This will output `./dist/jquery.js`
+
+#### 2.2.4 / 2.2.5-sec
+
+- Checkout the `2.2.4` or `2.2.5-sec` branch
+- From the root folder of the repo:
+  - `npm i -g grunt-cli`
+  - Run `grunt`
+    - This will output `./dist/jquery.js`

security/site/vendor/jquery-2.2.5-sec.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v2.2.4
+ * jQuery JavaScript Library v2.2.5-sec
  * http://jquery.com/
  *
  * Includes Sizzle.js
@@ -9,7 +9,7 @@
  * Released under the MIT license
  * http://jquery.org/license
  *
- * Date: 2016-05-20T17:23Z
+ * Date: 2024-02-21T04:25Z
  */
 
 (function( global, factory ) {
@@ -209,8 +209,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
@@ -4249,12 +4250,41 @@ var rscriptType = ( /^$|\/(?:java|ecma)script/i );
 
 
 
+( function() {
+	var fragment = document.createDocumentFragment(),
+		div = fragment.appendChild( document.createElement( "div" ) ),
+		input = document.createElement( "input" );
+
+	// Support: Android 4.0-4.3, Safari<=5.1
+	// Check state lost if the name is set (#11217)
+	// Support: Windows Web Apps (WWA)
+	// `name` and `type` must use .setAttribute for WWA (#14901)
+	input.setAttribute( "type", "radio" );
+	input.setAttribute( "checked", "checked" );
+	input.setAttribute( "name", "t" );
+
+	div.appendChild( input );
+
+	// Support: Safari<=5.1, Android<4.2
+	// Older WebKit doesn't clone checked state correctly in fragments
+	support.checkClone = div.cloneNode( true ).cloneNode( true ).lastChild.checked;
+
+	// Support: IE<=11+
+	// Make sure textarea (and checkbox) defaultValue is properly cloned
+	div.innerHTML = "<textarea>x</textarea>";
+	support.noCloneChecked = !!div.cloneNode( true ).lastChild.defaultValue;
+
+	// Support: IE <=9 only
+	// IE <=9 replaces <option> tags with their contents when inserted outside of
+	// the select element.
+	div.innerHTML = "<option></option>";
+	support.option = !!div.lastChild;
+} )();
+
+
 // We have to close these tags to support XHTML (#13200)
 var wrapMap = {
 
-	// Support: IE9
-	option: [ 1, "<select multiple='multiple'>", "</select>" ],
-
 	// XHTML parsers do not magically insert elements in the
 	// same way that tag soup parsers do. So we cannot shorten
 	// this by omitting <tbody> or other required elements.
@@ -4266,12 +4296,14 @@ var wrapMap = {
 	_default: [ 0, "", "" ]
 };
 
-// Support: IE9
-wrapMap.optgroup = wrapMap.option;
-
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <=9 only
+if ( !support.option ) {
+	wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
+}
+
 
 function getAll( context, tag ) {
 
@@ -4396,32 +4428,6 @@ function buildFragment( elems, context, scripts, selection, ignored ) {
 }
 
 
-( function() {
-	var fragment = document.createDocumentFragment(),
-		div = fragment.appendChild( document.createElement( "div" ) ),
-		input = document.createElement( "input" );
-
-	// Support: Android 4.0-4.3, Safari<=5.1
-	// Check state lost if the name is set (#11217)
-	// Support: Windows Web Apps (WWA)
-	// `name` and `type` must use .setAttribute for WWA (#14901)
-	input.setAttribute( "type", "radio" );
-	input.setAttribute( "checked", "checked" );
-	input.setAttribute( "name", "t" );
-
-	div.appendChild( input );
-
-	// Support: Safari<=5.1, Android<4.2
-	// Older WebKit doesn't clone checked state correctly in fragments
-	support.checkClone = div.cloneNode( true ).cloneNode( true ).lastChild.checked;
-
-	// Support: IE<=11+
-	// Make sure textarea (and checkbox) defaultValue is properly cloned
-	div.innerHTML = "<textarea>x</textarea>";
-	support.noCloneChecked = !!div.cloneNode( true ).lastChild.defaultValue;
-} )();
-
-
 var
 	rkeyEvent = /^key/,
 	rmouseEvent = /^(?:mouse|pointer|contextmenu|drag|drop)|click/,
@@ -5121,13 +5127,10 @@ jQuery.fn.extend( {
 } );
 
 
-var
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,
-
 	// Support: IE 10-11, Edge 10240+
 	// In IE/Edge using regex groups here causes severe slowdowns.
 	// See https://connect.microsoft.com/IE/feedback/details/1736512/
-	rnoInnerhtml = /<script|<style|<link/i,
+var	rnoInnerhtml = /<script|<style|<link/i,
 
 	// checked="checked" or checked
 	rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i,
@@ -5322,7 +5325,7 @@ function remove( elem, selector, keepData ) {
 
 jQuery.extend( {
 	htmlPrefilter: function( html ) {
-		return html.replace( rxhtmlTag, "<$1></$2>" );
+		return html;
 	},
 
 	clone: function( elem, dataAndEvents, deepDataAndEvents ) {
@@ -9194,6 +9197,13 @@ jQuery.ajaxTransport( function( options ) {
 
 
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup( {
 	accepts: {

security/test/test.mjs

@@ -15,6 +15,7 @@ const patchedVersions = [
 	'1.7.3-sec',
 	'1.8.4-sec',
 	'1.12.5-sec',
+	'2.2.5-sec',
 ];
 
 function banner(txt, {borderColor = 'magenta', textColor = 'cyan'} = {borderColor: 'magenta',  textColor: 'cyan'}) {