🔒️ fix CVE-2020-7656

Author: ctcpip

component.json

@@ -1,6 +1,6 @@
 {
   "name"        : "jquery",
-  "version"     : "1.2.6",
+  "version"     : "1.2.7-sec",
   "main"        : "./jquery.js",
   "dependencies": {
   }

jquery.js

@@ -1,13 +1,13 @@
 (function(){
 /*
- * jQuery 1.2.6 - New Wave Javascript
+ * jQuery 1.2.7-sec - New Wave Javascript
  *
  * Copyright (c) 2008 John Resig (jquery.com)
  * Dual licensed under the MIT (MIT-LICENSE.txt)
  * and GPL (GPL-LICENSE.txt) licenses.
  *
- * $Date: 2008/05/26 $
- * $Rev: 5685 $
+ * $Date$
+ * $Rev$
  */
 
 // Map over jQuery in case of overwrite
@@ -21,8 +21,9 @@ var jQuery = window.jQuery = window.$ = function( selector, context ) {
 };
 
 // A simple way to check for HTML strings or ID strings
-// (both of which we optimize for)
-var quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#(\w+)$/,
+// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+// Strict HTML recognition (#11290: must start with <)
+quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 // Is it a simple selector
 	isSimple = /^.[^:#\[\.]*$/,
@@ -55,13 +56,13 @@ jQuery.fn = jQuery.prototype = {
 
 				// HANDLE: $("#id")
 				else {
-					var elem = document.getElementById( match[3] );
+					var elem = document.getElementById( match[2] );
 
 					// Make sure an element was located
 					if ( elem ){
 						// Handle the case where IE and Opera return items
 						// by name instead of ID
-						if ( elem.id != match[3] )
+						if ( elem.id != match[2] )
 							return jQuery().find( selector );
 
 						// Otherwise, we inject the element directly into the jQuery object
@@ -84,7 +85,7 @@ jQuery.fn = jQuery.prototype = {
 	},
 
 	// The current version of jQuery being used
-	jquery: "1.2.6",
+	jquery: "1.2.7-sec",
 
 	// The number of elements contained in the matched element set
 	size: function() {
@@ -576,8 +577,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 			for ( var name in options ) {
 				var src = target[ name ], copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy )
+				if ( name === "__proto__" || target === copy )
 					continue;
 
 				// Recurse if we're merging object values
@@ -952,13 +954,6 @@ jQuery.extend({
 
 			// Convert html string into DOM nodes
 			if ( typeof elem == "string" ) {
-				// Fix "XHTML"-style tags in all browsers
-				elem = elem.replace(/(<(\w+)[^>]*?)\/>/g, function(all, front, tag){
-					return tag.match(/^(abbr|br|col|img|input|link|meta|param|hr|area|embed)$/i) ?
-						all :
-						front + "></" + tag + ">";
-				});
-
 				// Trim whitespace, otherwise indexOf won't work as expected
 				var tags = jQuery.trim( elem ).toLowerCase(), div = context.createElement("div");
 
@@ -2463,7 +2458,7 @@ jQuery.fn.extend({
 						jQuery("<div/>")
 							// inject the contents of the document in, removing the scripts
 							// to avoid any 'Permission Denied' errors in IE
-							.append(res.responseText.replace(/<script(.|\s)*?\/script>/g, ""))
+							.append(res.responseText.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi, ""))
 
 							// Locate the specified elements
 							.find(selector) :

src/ajax.js

@@ -48,7 +48,7 @@ jQuery.fn.extend({
 						jQuery("<div/>")
 							// inject the contents of the document in, removing the scripts
 							// to avoid any 'Permission Denied' errors in IE
-							.append(res.responseText.replace(/<script(.|\s)*?\/script>/g, ""))
+							.append(res.responseText.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi, ""))
 
 							// Locate the specified elements
 							.find(selector) :

version.txt

@@ -1 +1 @@
-1.2.6
+1.2.7-sec