diff --git a/.gitmodules b/.gitmodules index 19c60418e3..2c37e3ae62 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "src/sizzle"] path = src/sizzle - url = git://github.com/jquery/sizzle.git + url = https://github.com/jquery/sizzle.git [submodule "test/qunit"] path = test/qunit - url = git://github.com/jquery/qunit.git + url = https://github.com/qunitjs/qunit.git diff --git a/bower.json b/bower.json index 32edabdbf4..716ece0f11 100755 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name" : "jquery", - "version" : "1.7.2", + "version" : "1.7.3-sec", "main" : "./jquery.js", "dependencies": { } diff --git a/component.json b/component.json new file mode 100755 index 0000000000..29d893ac65 --- /dev/null +++ b/component.json @@ -0,0 +1,8 @@ +{ + "name" : "jquery", + "version" : "1.6.5-sec", + "main" : "./jquery.js", + "dependencies": { + } +} + diff --git a/jquery.js b/jquery.js index 3774ff9861..6853389c99 100755 --- a/jquery.js +++ b/jquery.js @@ -1,5 +1,5 @@ /*! - * jQuery JavaScript Library v1.7.2 + * jQuery JavaScript Library v1.7.3-sec * http://jquery.com/ * * Copyright 2011, John Resig @@ -11,7 +11,7 @@ * Copyright 2011, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * - * Date: Wed Mar 21 12:46:34 2012 -0700 + * Date: Fri Feb 16 00:55:01 2024 -0600 */ (function( window, undefined ) { @@ -38,7 +38,8 @@ var jQuery = function( selector, context ) { // A simple way to check for HTML strings or ID strings // Prioritize #id over to avoid XSS via location.hash (#9521) - quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, + // Strict HTML recognition (#11290: must start with <) + quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/, // Check if a string has a non-whitespace character in it rnotwhite = /\S/, @@ -210,7 +211,7 @@ jQuery.fn = jQuery.prototype = { selector: "", // The current version of jQuery being used - jquery: "1.7.2", + jquery: "1.7.3-sec", // The default length of a jQuery object is 0 length: 0, @@ -355,8 +356,9 @@ jQuery.extend = jQuery.fn.extend = function() { src = target[ name ]; copy = options[ name ]; + // Prevent Object.prototype pollution // Prevent never-ending loop - if ( target === copy ) { + if ( name === "__proto__" || target === copy ) { continue; } @@ -5735,7 +5737,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca "header|hgroup|mark|meter|nav|output|progress|section|summary|time|video", rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g, rleadingWhitespace = /^\s+/, - rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig, rtagName = /<([\w:]+)/, rtbody = /" ], legend: [ 1, "
", "
" ], thead: [ 1, "", "
" ], tr: [ 2, "", "
" ], @@ -5758,7 +5758,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca }, safeFragment = createSafeFragment( document ); -wrapMap.optgroup = wrapMap.option; wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead; wrapMap.th = wrapMap.td; @@ -5936,13 +5935,10 @@ jQuery.fn.extend({ null; } - if ( typeof value === "string" && !rnoInnerhtml.test( value ) && ( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) && !wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) { - value = value.replace( rxhtmlTag, "<$1>" ); - try { for (; i < l; i++ ) { // Remove element nodes and prevent memory leaks @@ -6387,8 +6383,6 @@ jQuery.extend({ if ( !rhtml.test( elem ) ) { elem = context.createTextNode( elem ); } else { - // Fix "XHTML"-style tags in all browsers - elem = elem.replace(rxhtmlTag, "<$1>"); // Trim whitespace, otherwise indexOf won't work as expected var tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase(), @@ -6979,7 +6973,7 @@ var r20 = /%20/g, rnoContent = /^(?:GET|HEAD)$/, rprotocol = /^\/\//, rquery = /\?/, - rscript = /<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, + rscript = /<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi, rselectTextarea = /^(?:select|textarea)/i, rspacesAjax = /\s+/, rts = /([?&])_=[^&]*/, @@ -8046,6 +8040,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) { +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) +jQuery.ajaxPrefilter( function( s ) { + if ( s.crossDomain ) { + s.contents.script = false; + } +} ); + // Install script dataType jQuery.ajaxSetup({ accepts: { diff --git a/src/ajax.js b/src/ajax.js index 2bcc1d0a2c..e89b46140b 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -11,7 +11,7 @@ var r20 = /%20/g, rnoContent = /^(?:GET|HEAD)$/, rprotocol = /^\/\//, rquery = /\?/, - rscript = /<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, + rscript = /<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi, rselectTextarea = /^(?:select|textarea)/i, rspacesAjax = /\s+/, rts = /([?&])_=[^&]*/, diff --git a/src/ajax/script.js b/src/ajax/script.js index f7a9180107..254c4ce613 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -1,5 +1,12 @@ (function( jQuery ) { +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) +jQuery.ajaxPrefilter( function( s ) { + if ( s.crossDomain ) { + s.contents.script = false; + } +} ); + // Install script dataType jQuery.ajaxSetup({ accepts: { diff --git a/src/core.js b/src/core.js index 9c8314c91a..3f7f689c45 100644 --- a/src/core.js +++ b/src/core.js @@ -17,7 +17,8 @@ var jQuery = function( selector, context ) { // A simple way to check for HTML strings or ID strings // Prioritize #id over to avoid XSS via location.hash (#9521) - quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, + // Strict HTML recognition (#11290: must start with <) + quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/, // Check if a string has a non-whitespace character in it rnotwhite = /\S/, @@ -334,8 +335,9 @@ jQuery.extend = jQuery.fn.extend = function() { src = target[ name ]; copy = options[ name ]; + // Prevent Object.prototype pollution // Prevent never-ending loop - if ( target === copy ) { + if ( name === "__proto__" || target === copy ) { continue; } diff --git a/src/manipulation.js b/src/manipulation.js index 2a37579043..3916c72dd8 100644 --- a/src/manipulation.js +++ b/src/manipulation.js @@ -18,7 +18,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca "header|hgroup|mark|meter|nav|output|progress|section|summary|time|video", rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g, rleadingWhitespace = /^\s+/, - rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig, rtagName = /<([\w:]+)/, rtbody = /" ], legend: [ 1, "
", "
" ], thead: [ 1, "", "
" ], tr: [ 2, "", "
" ], @@ -41,7 +39,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca }, safeFragment = createSafeFragment( document ); -wrapMap.optgroup = wrapMap.option; wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead; wrapMap.th = wrapMap.td; @@ -219,13 +216,10 @@ jQuery.fn.extend({ null; } - if ( typeof value === "string" && !rnoInnerhtml.test( value ) && ( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) && !wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) { - value = value.replace( rxhtmlTag, "<$1>" ); - try { for (; i < l; i++ ) { // Remove element nodes and prevent memory leaks @@ -670,8 +664,6 @@ jQuery.extend({ if ( !rhtml.test( elem ) ) { elem = context.createTextNode( elem ); } else { - // Fix "XHTML"-style tags in all browsers - elem = elem.replace(rxhtmlTag, "<$1>"); // Trim whitespace, otherwise indexOf won't work as expected var tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase(), diff --git a/test/unit/ajax.js b/test/unit/ajax.js index de680cb7d0..a91cd1af40 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -65,6 +65,70 @@ test("jQuery.ajax() - success callbacks - (url, options) syntax", function() { }, 13); }); +test( "jQuery.ajax() - do not execute js (crossOrigin) 1", 2, function() { + + jQuery.ajaxSetup({ timeout: 0 }); + + stop(); + + setTimeout(function(){ + jQuery.ajax({ + url: url( "data/script.php?header=ecma" ), + crossDomain: true, + success: function() { + ok( true, "success" ); + }, + complete: function() { + ok( true, "complete" ); + start(); + } + }); + }, 13); +} ); + +test( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, function() { + + jQuery.ajaxSetup({ timeout: 0 }); + + stop(); + + setTimeout(function(){ + jQuery.ajax({ + url: url( "data/script.php?header=ecma" ), + crossDomain: true, + dataType: "script", + success: function() { + ok( true, "success" ); + }, + complete: function() { + ok( true, "complete" ); + start(); + } + }); + }, 13); +} ); + +test( "jQuery.ajax() - do not execute js (crossOrigin) 2", 2, function() { + + jQuery.ajaxSetup({ timeout: 0 }); + + stop(); + + setTimeout(function(){ + jQuery.ajax({ + url: url( "data/script.php" ), + crossDomain: true, + success: function() { + ok( true, "success" ); + }, + complete: function() { + ok( true, "complete" ); + start(); + } + }); + }, 13); +} ); + test("jQuery.ajax() - success callbacks (late binding)", function() { expect( 8 ); diff --git a/test/unit/core.js b/test/unit/core.js index e87c10664e..bab02af4b8 100644 --- a/test/unit/core.js +++ b/test/unit/core.js @@ -18,7 +18,7 @@ test("Basic requirements", function() { }); test("jQuery()", function() { - expect(29); + expect(27); // Basic constructor's behavior @@ -62,7 +62,7 @@ test("jQuery()", function() { var img = jQuery(""); equal( img.length, 1, "Correct number of elements generated for img" ); equal( img.parent().length, 0, "Make sure that the generated HTML has no parent." ); - var div = jQuery("
"); + var div = jQuery("
"); equal( div.length, 4, "Correct number of elements generated for div hr code b" ); equal( div.parent().length, 0, "Make sure that the generated HTML has no parent." ); @@ -103,16 +103,15 @@ test("jQuery()", function() { // manually clean up detached elements elem.remove(); - equal( jQuery("
").length, 1, "Make sure whitespace is trimmed." ); - equal( jQuery(" a
b ").length, 1, "Make sure whitespace and other characters are trimmed." ); + equal( jQuery("
").length, 1, "Make sure whitespace is trimmed." ); var long = ""; for ( var i = 0; i < 128; i++ ) { long += "12345678"; } - equal( jQuery("
" + long + "
").length, 1, "Make sure whitespace is trimmed on long strings." ); - equal( jQuery(" a
" + long + "
b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." ); + equal( jQuery("
" + long + "
").length, 1, "Make sure whitespace is trimmed on long strings." ); + }); test("selector state", function() { @@ -638,6 +637,36 @@ test("jQuery('html', context)", function() { equal($span.length, 1, "Verify a span created with a div context works, #1763"); }); +test("XSS via location.hash", function() { + expect(1); + + stop(); + jQuery._check9521 = function(x){ + ok( x, "script called from #id-like selector with inline handler" ); + jQuery("#check9521").remove(); + delete jQuery._check9521; + }; + + var $eCheck9521 = jQuery( '#
").appendTo("body"); equal( div2.find("input").css("height"), "20px", "Height on hidden input." ); equal( div2.find("textarea").css("height"), "20px", "Height on hidden textarea." ); diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js index 18e1b8d67e..3587482846 100644 --- a/test/unit/manipulation.js +++ b/test/unit/manipulation.js @@ -1261,7 +1261,7 @@ var testHtml = function(valueObj) { } ok( pass, "Set HTML" ); - div = jQuery("
").html( valueObj("
") ); + div = jQuery("
").html( valueObj("
") ); equal( div.children().length, 2, "Make sure two child nodes exist." ); equal( div.children().children().length, 1, "Make sure that a grandchild exists." ); diff --git a/version.txt b/version.txt index 0a182f2e3a..f16f6f7ff6 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -1.7.2 \ No newline at end of file +1.7.3-sec