X Tutup
Skip to content

make htmlPrefilter an identity function#37596

Merged
phil-davis merged 1 commit intomasterfrom
tweak-jquery
Jun 25, 2020
Merged

make htmlPrefilter an identity function#37596
phil-davis merged 1 commit intomasterfrom
tweak-jquery

Conversation

@C0rby
Copy link
Contributor

@C0rby C0rby commented Jun 25, 2020
edited by micbar
Loading

Description

The used version of jQuery contains a potential XSS vulneratbility.
This patch is a suggested workaround.
See GHSA-gxr4-xjj5-5px2

Related Issue

Motivation and Context

Since we don't upgrade the libraries we need to patch security changes.

How Has This Been Tested?

  • it hasn't been yet

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@C0rby C0rby requested a review from PVince81 June 25, 2020 09:57
@codecov
Copy link

codecov bot commented Jun 25, 2020

Codecov Report

Merging #37596 into master will decrease coverage by 0.00%.
The diff coverage is 50.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #37596      +/-   ##
============================================
- Coverage     64.70%   64.70%   -0.01%     
  Complexity    19353    19353              
============================================
  Files          1281     1281              
  Lines         75612    75614       +2     
  Branches       1333     1333              
============================================
+ Hits          48925    48926       +1     
- Misses        26295    26296       +1     
  Partials        392      392
Flag Coverage Δ Complexity Δ
#javascript 54.03% <50.00%> (-0.01%) 0.00 <0.00> (ø)
#phpunit 65.88% <ø> (ø) 19353.00 <ø> (ø)
Impacted Files Coverage Δ Complexity Δ
core/js/js.js 55.04% <50.00%> (-0.02%) 0.00 <0.00> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4ad0c7...1b715a8. Read the comment docs.

1 similar comment
@codecov
Copy link

codecov bot commented Jun 25, 2020

Codecov Report

Merging #37596 into master will decrease coverage by 0.00%.
The diff coverage is 50.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #37596      +/-   ##
============================================
- Coverage     64.70%   64.70%   -0.01%     
  Complexity    19353    19353              
============================================
  Files          1281     1281              
  Lines         75612    75614       +2     
  Branches       1333     1333              
============================================
+ Hits          48925    48926       +1     
- Misses        26295    26296       +1     
  Partials        392      392
Flag Coverage Δ Complexity Δ
#javascript 54.03% <50.00%> (-0.01%) 0.00 <0.00> (ø)
#phpunit 65.88% <ø> (ø) 19353.00 <ø> (ø)
Impacted Files Coverage Δ Complexity Δ
core/js/js.js 55.04% <50.00%> (-0.02%) 0.00 <0.00> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4ad0c7...1b715a8. Read the comment docs.

@codecov
Copy link

codecov bot commented Jun 25, 2020
edited
Loading

Codecov Report

Merging #37596 into master will decrease coverage by 0.00%.
The diff coverage is 50.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #37596      +/-   ##
============================================
- Coverage     64.70%   64.70%   -0.01%     
  Complexity    19353    19353              
============================================
  Files          1281     1281              
  Lines         75612    75614       +2     
  Branches       1333     1333              
============================================
+ Hits          48925    48926       +1     
- Misses        26295    26296       +1     
  Partials        392      392
Flag Coverage Δ Complexity Δ
#javascript 54.03% <50.00%> (-0.01%) 0.00 <0.00> (ø)
#phpunit 65.88% <ø> (ø) 19353.00 <ø> (ø)
Impacted Files Coverage Δ Complexity Δ
core/js/js.js 55.04% <50.00%> (-0.02%) 0.00 <0.00> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4ad0c7...e889485. Read the comment docs.

@micbar
Copy link
Contributor

micbar commented Jun 25, 2020

Needs changelog. Category security

make htmlPrefilter an identity function
e889485 
Signed-off-by: David Christofas <dchristofas@owncloud.com>
@owncloud owncloud deleted a comment from update-docs bot Jun 25, 2020
@phil-davis
Copy link
Contributor

phil-davis commented Jun 25, 2020

I will make a "backport" to release-10.5.0 branch.

@phil-davis phil-davis merged commit 620c2c6 into master Jun 25, 2020
@delete-merged-branch delete-merged-branch bot deleted the tweak-jquery branch June 25, 2020 15:49
@C0rby
Copy link
Contributor Author

C0rby commented Jun 25, 2020

Thanks you, @phil-davis!

@phil-davis phil-davis mentioned this pull request Jun 25, 2020
Merged
11 tasks
@phil-davis
Copy link
Contributor

phil-davis commented Jun 25, 2020

PR #37599 t release-10.5.0 branch.

@mmattel mmattel mentioned this pull request Jun 25, 2020
Closed
@C0rby
Copy link
Contributor Author

C0rby commented Jun 27, 2020

@C0rby Fix also #37463 ?

Yes, that is the same issue.

@voroyam voroyam mentioned this pull request Mar 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PVince81 PVince81 Awaiting requested review from PVince81

1 more reviewer

@micbar micbar micbar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@C0rby C0rby

Labels

3 - To Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@C0rby @micbar @phil-davis
X Tutup