diff --git a/client-participation/js/3rdparty/jquery.js b/client-participation/js/3rdparty/jquery.js index 8f9551cc77..bc53ec5bd4 100644 --- a/client-participation/js/3rdparty/jquery.js +++ b/client-participation/js/3rdparty/jquery.js @@ -8288,6 +8288,11 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) { // Convert response if prev dataType is non-auto and differs from current } else if ( prev !== "*" && prev !== current ) { + // Mitigate possible XSS vulnerability (gh-2432) + if ( s.crossDomain && current === "script" ) { + continue; + } + // Seek a direct converter conv = converters[ prev + " " + current ] || converters[ "* " + current ]; diff --git a/client-participation/package.json b/client-participation/package.json index 755ecad744..ca872782e6 100644 --- a/client-participation/package.json +++ b/client-participation/package.json @@ -2,6 +2,7 @@ "name": "polis-client-participation", "version": "1.0.0", "scripts": { + "test": "node scripts/verify-jquery-cve-2015-9251.cjs", "start": "npm run dev", "analyze": "webpack --mode=production --analyze", "build": "npm run build:prod", diff --git a/client-participation/scripts/verify-jquery-cve-2015-9251.cjs b/client-participation/scripts/verify-jquery-cve-2015-9251.cjs new file mode 100644 index 0000000000..5f5b9c7223 --- /dev/null +++ b/client-participation/scripts/verify-jquery-cve-2015-9251.cjs @@ -0,0 +1,20 @@ +"use strict"; + +/** + * Regression guard for CVE-2015-9251 mitigation in vendored jQuery (ajaxConvert). + * @see https://github.com/jquery/jquery/commit/2546bb35b89413da5198d54a4539e4ed0aaf6e49 + */ +const fs = require("fs"); +const path = require("path"); + +const jqueryPath = path.join(__dirname, "..", "js", "3rdparty", "jquery.js"); +const src = fs.readFileSync(jqueryPath, "utf8"); + +if (!src.includes('s.crossDomain && current === "script"')) { + console.error( + "verify-jquery-cve-2015-9251: expected gh-2432 / CVE-2015-9251 guard in ajaxConvert" + ); + process.exit(1); +} + +console.log("verify-jquery-cve-2015-9251: ok");