MAGETWO-93723: jQuery is old and causing PCI scanning failures

Oleksandr Miroshnichenko · Oleksandr Miroshnichenko · commit 86fdea32b19d · 2018-09-05T14:57:04.000-05:00
diff --git a/app/code/Magento/Theme/view/base/requirejs-config.js b/app/code/Magento/Theme/view/base/requirejs-config.js
@@ -52,6 +52,9 @@ var config = {
         'mixins': {
             'jquery/jstree/jquery.jstree': {
                 'mage/backend/jstree-mixin': true
+            },
+            'jquery': {
+                'jquery/patches/jquery': true
             }
         },
         'text': {
@@ -61,9 +64,3 @@ var config = {
         }
     }
 };
-
-require(['jquery'], function ($) {
-    'use strict';
-
-    $.noConflict();
-});
diff --git a/app/code/Magento/Theme/view/frontend/requirejs-config.js b/app/code/Magento/Theme/view/frontend/requirejs-config.js
@@ -44,6 +44,9 @@ var config = {
         mixins: {
             'Magento_Theme/js/view/breadcrumbs': {
                 'Magento_Theme/js/view/add-home-breadcrumb': true
+            },
+            'jquery/jquery-ui': {
+                'jquery/patches/jquery-ui': true
             }
         }
     }
diff --git a/lib/web/jquery/patches/jquery-ui.js b/lib/web/jquery/patches/jquery-ui.js
@@ -0,0 +1,46 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery'
+], function ($) {
+    'use strict';
+
+    /**
+     * Patch for CVE-2016-7103 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 1.12.x.
+     * https://www.cvedetails.com/cve/CVE-2016-7103/
+     */
+    function dialogPatch() {
+        $.widget('ui.dialog', $.ui.dialog, {
+            /** @inheritdoc */
+            _createTitlebar: function () {
+                this.options.closeText = $('<a>').text('' + this.options.closeText).html();
+
+                this._superApply();
+            },
+
+            /** @inheritdoc */
+            _setOption: function (key, value) {
+                if (key === 'closeText') {
+                    value = $('<a>').text('' + value).html();
+                }
+
+                this._super(key, value);
+            }
+        });
+    }
+
+    return function () {
+        var majorVersion = $.ui.version.split('.')[0],
+            minorVersion = $.ui.version.split('.')[1];
+
+        if (majorVersion === 1 && minorVersion >= 12 || majorVersion >= 2) {
+            console.warn('jQuery patch for CVE-2016-7103 is no longer necessary, and should be removed');
+        }
+
+        dialogPatch();
+    };
+});
diff --git a/lib/web/jquery/patches/jquery.js b/lib/web/jquery/patches/jquery.js
@@ -0,0 +1,35 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([], function () {
+    'use strict';
+
+    /**
+     * Patch for CVE-2015-9251 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 3.3.x.
+     * https://www.cvedetails.com/cve/CVE-2015-9251/
+     */
+    function ajaxResponsePatch(jQuery) {
+        jQuery.ajaxPrefilter(function (s) {
+            if (s.crossDomain) {
+                s.contents.script = false;
+            }
+        });
+    }
+
+    return function ($) {
+        var majorVersion = $.fn.jquery.split('.')[0];
+
+        $.noConflict();
+
+        if (majorVersion >= 3) {
+            console.warn('jQuery patch for CVE-2015-9251 is no longer necessary, and should be removed');
+        }
+
+        ajaxResponsePatch(jQuery);
+
+        return jQuery;
+    };
+});
diff --git a/lib/web/mage/translate-inline.js b/lib/web/mage/translate-inline.js
@@ -200,32 +200,5 @@
         }
     });
 
-    $.widget('ui.button', $.ui.button, {
-        /**
-         * @private
-         */
-        _create: function () {
-            this._super();
-            // Decode HTML entities to prevent incorrect rendering of dialog button label
-            this.options.label = this.options.label ?
-                jQuery('<div/>').html(this.options.label).text() : this.options.label;
-            //Reset button to make decoded label visible
-            this._resetButton();
-        }
-    });
-
-    $.widget('ui.dialog', $.ui.dialog, {
-        /**
-         * Prevent rendering of dialog title as escaped HTML
-         */
-        _title: function (title) {
-            this._super(title);
-
-            if (this.options.title) {
-                title.html(this.options.title);
-            }
-        }
-    });
-
     return $.mage.translateInline;
 }));

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,9 @@ var config = {`
`52`	`52`	`'mixins': {`
`53`	`53`	`'jquery/jstree/jquery.jstree': {`
`54`	`54`	`'mage/backend/jstree-mixin': true`
	`55`	`+ },`
	`56`	`+ 'jquery': {`
	`57`	`+ 'jquery/patches/jquery': true`
`55`	`58`	`}`
`56`	`59`	`},`
`57`	`60`	`'text': {`
`@@ -61,9 +64,3 @@ var config = {`
`61`	`64`	`}`
`62`	`65`	`}`
`63`	`66`	`};`
`64`		`-`
`65`		`-require(['jquery'], function ($) {`
`66`		`- 'use strict';`
`67`		`-`
`68`		`- $.noConflict();`
`69`		`-});`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,9 @@ var config = {`
`44`	`44`	`mixins: {`
`45`	`45`	`'Magento_Theme/js/view/breadcrumbs': {`
`46`	`46`	`'Magento_Theme/js/view/add-home-breadcrumb': true`
	`47`	`+ },`
	`48`	`+ 'jquery/jquery-ui': {`
	`49`	`+ 'jquery/patches/jquery-ui': true`
`47`	`50`	`}`
`48`	`51`	`}`
`49`	`52`	`}`