jquery-ui.js 1.25 KB
Newer Older
Ketan's avatar
Ketan committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

define([
    'jquery'
], function ($) {
    'use strict';

    /**
     * Patch for CVE-2016-7103 (XSS vulnerability).
     * Can safely remove only when jQuery UI is upgraded to >= 1.12.x.
     * https://www.cvedetails.com/cve/CVE-2016-7103/
     */
    function dialogPatch() {
        $.widget('ui.dialog', $.ui.dialog, {
            /** @inheritdoc */
            _createTitlebar: function () {
                this.options.closeText = $('<a>').text('' + this.options.closeText).html();

                this._superApply();
            },

            /** @inheritdoc */
            _setOption: function (key, value) {
                if (key === 'closeText') {
                    value = $('<a>').text('' + value).html();
                }

                this._super(key, value);
            }
        });
    }

    return function () {
        var majorVersion = $.ui.version.split('.')[0],
            minorVersion = $.ui.version.split('.')[1];

        if (majorVersion === 1 && minorVersion >= 12 || majorVersion >= 2) {
            console.warn('jQuery patch for CVE-2016-7103 is no longer necessary, and should be removed');
        }

        dialogPatch();
    };
});