✨ jQuery v1.8.4-sec

Author: ctcpip

README.md

@@ -14,7 +14,7 @@ In a perfect world, at least every MAJOR EOL jQuery release line would have a se
 | ✅     | `1.5.2`        | `1.5.3-sec`        | [1.5.3-sec] | [PR][1.5.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]            |
 | ✅     | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
 | ✅     | `1.7.2`        | `1.7.3-sec`        | [1.7.3-sec] | [PR][1.7.3-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
-| 🚧     | `1.8.3`        | `1.8.4-sec`        |             |                |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
+| ✅     | `1.8.3`        | `1.8.4-sec`        | [1.8.4-sec] | [PR][1.8.4-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                               |
 | 🚧     | `1.12.4`       | `1.12.5-sec`       |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023]                                                                     |
 | 🚧     | `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                                 |
 
@@ -70,6 +70,8 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 [1.6.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/1
 [1.7.3-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.7.3-sec
 [1.7.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/7
+[1.8.4-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.8.4-sec
+[1.8.4-pr]: https://github.com/ctcpip/jquery-security-patches/pull/8
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

security/README.md

@@ -7,6 +7,9 @@
 
 ## Prerequisites
 
+- [Make](https://en.wikipedia.org/wiki/Make_(software))
+- Node.js
+  - Node v20, the current LTS version at the time of this writing is the version used, although you may be successful with other versions
 - For older jQuery versions (1.2.6 through 1.5.2<!-- update as needed -->), you'll need to install php 5.6
   - For Macs, We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
 
@@ -54,6 +57,7 @@
 - Checkout the `1.5.2` or `1.5.3-sec` branch
 - From the root folder of the repo:
   - `git submodule update --recursive`
+    - if you get errors updating submodules, you may need to search for `[submodule` and update git:// urls to https://
   - `cd test`
   - Create symlink to src in test folder:
     - `ln -s ../src src`
@@ -68,6 +72,7 @@
 - Checkout the `1.6.4` or `1.6.5-sec` branch
 - From the root folder of the repo:
   - `git submodule update --recursive`
+    - if you get errors updating submodules, you may need to search for `[submodule` and update git:// urls to https://
   - Run php server:
     - `php -S 127.0.0.1:8000 -t test`
 - Open `127.0.0.1:8000/tests/index.html` in your browser
@@ -77,6 +82,31 @@
 - Checkout the `1.7.2` or `1.7.3-sec` branch
 - From the root folder of the repo:
   - `git submodule update --recursive`
+    - if you get errors updating submodules, you may need to search for `[submodule` and update git:// urls to https://
+  - Run php server:
+    - `php -S 127.0.0.1:8000 -t test`
+- Open `127.0.0.1:8000/tests/index.html` in your browser
+
+#### 1.8.3 / 1.8.4-sec
+
+- Checkout the `1.8.3` or `1.8.4-sec` branch
+- From the root folder of the repo:
+  - `git submodule update --recursive`
+    - If you get errors updating submodules, you may need to search for `[submodule` and update git:// urls to https://
+  - Globally install the requisite ancient version of grunt: `npm i grunt@0.3.9 -g`
+  - `npm i`
+  - Modify the `grunt.js` file
+    - Remove `submodules` from the default grunt task
+    - Remove `compare_size` from default grunt task
+  - Run `grunt`
+    - You should get errors about `path.existsSync()` in `node_modules/grunt/lib/util/findup.js` and in `node_modules/grunt/bin/grunt`
+      - Modify both files to `require('fs')` and change `path.existsSync()` to `fs.existsSync()`
+  - Run `grunt`
+    - It should work now
+  - `cd test`
+  - Create symlink to dist in test folder:
+    - `ln -s ../dist dist`
+  - `cd ..`
   - Run php server:
     - `php -S 127.0.0.1:8000 -t test`
 - Open `127.0.0.1:8000/tests/index.html` in your browser
@@ -145,3 +175,20 @@ You can run the A/B tests locally in CI mode or manually in the browser
 - From the root folder of the repo:
   - Run `make`
     - This will output `./dist/jquery.js`
+
+#### 1.8.3 / 1.8.4-sec
+
+- Checkout the `1.8.3` or `1.8.4-sec` branch
+- From the root folder of the repo:
+  - `git submodule update --recursive`
+    - If you get errors updating submodules, you may need to search for `[submodule` and update git:// urls to https://
+  - Globally install the requisite ancient version of grunt: `npm i grunt@0.3.9 -g`
+  - `npm i`
+  - Modify the `grunt.js` file
+    - Remove `submodules` from the default grunt task
+    - Remove `compare_size` from default grunt task
+  - Run `grunt`
+  - You should get errors about `path.existsSync()` in `node_modules/grunt/lib/util/findup.js` and in `node_modules/grunt/bin/grunt`
+    - Modify both files to `require('fs')` and change `path.existsSync()` to `fs.existsSync()`
+  - Run `grunt`
+    - This will output `./dist/jquery.js`

security/site/vendor/jquery-1.8.4-sec.js

@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v1.8.3
+ * jQuery JavaScript Library v1.8.4-sec
  * http://jquery.com/
  *
  * Includes Sizzle.js
@@ -9,7 +9,7 @@
  * Released under the MIT license
  * http://jquery.org/license
  *
- * Date: Tue Nov 13 2012 08:20:33 GMT-0500 (Eastern Standard Time)
+ * Date: Sat Feb 17 2024 00:41:53 GMT-0600 (Central Standard Time)
  */
 (function( window, undefined ) {
 var
@@ -55,8 +55,10 @@ var
 	rtrim = /^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,
 
 	// A simple way to check for HTML strings
-	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Prioritize #id over <tag> to avoid XSS via location.hash (trac-9521)
+	// Strict HTML recognition (trac-11290: must start with <)
+	// Shortcut simple #id case for speed
+	rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w\-]+))$/,
 
 	// Match a standalone tag
 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/,
@@ -322,8 +324,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
@@ -5664,7 +5667,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 		"header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",
 	rinlinejQuery = / jQuery\d+="(?:null|\d+)"/g,
 	rleadingWhitespace = /^\s+/,
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,
 	rtagName = /<([\w:]+)/,
 	rtbody = /<tbody/i,
 	rhtml = /<|&#?\w+;/,
@@ -5677,7 +5679,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 	rscriptType = /\/(java|ecma)script/i,
 	rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)|[\]\-]{2}>\s*$/g,
 	wrapMap = {
-		option: [ 1, "<select multiple='multiple'>", "</select>" ],
 		legend: [ 1, "<fieldset>", "</fieldset>" ],
 		thead: [ 1, "<table>", "</table>" ],
 		tr: [ 2, "<table><tbody>", "</tbody></table>" ],
@@ -5689,7 +5690,6 @@ var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figca
 	safeFragment = createSafeFragment( document ),
 	fragmentDiv = safeFragment.appendChild( document.createElement("div") );
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
@@ -5882,8 +5882,6 @@ jQuery.fn.extend({
 				( jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value ) ) &&
 				!wrapMap[ ( rtagName.exec( value ) || ["", ""] )[1].toLowerCase() ] ) {
 
-				value = value.replace( rxhtmlTag, "<$1></$2>" );
-
 				try {
 					for (; i < l; i++ ) {
 						// Remove element nodes and prevent memory leaks
@@ -6315,9 +6313,6 @@ jQuery.extend({
 					div = context.createElement("div");
 					safe.appendChild( div );
 
-					// Fix "XHTML"-style tags in all browsers
-					elem = elem.replace(rxhtmlTag, "<$1></$2>");
-
 					// Go to html and back, then peel off extra wrappers
 					tag = ( rtagName.exec( elem ) || ["", ""] )[1].toLowerCase();
 					wrap = wrapMap[ tag ] || wrapMap._default;
@@ -7288,7 +7283,7 @@ var
 	rnoContent = /^(?:GET|HEAD)$/,
 	rprotocol = /^\/\//,
 	rquery = /\?/,
-	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
 	rts = /([?&])_=[^&]*/,
 	rurl = /^([\w\+\.\-]+:)(?:\/\/([^\/?#:]*)(?::(\d+)|)|)/,
 
@@ -8245,6 +8240,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
 		return "script";
 	}
 });
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {

security/test/test.mjs

@@ -13,6 +13,7 @@ const patchedVersions = [
 	'1.5.3-sec',
 	'1.6.5-sec',
 	'1.7.3-sec',
+	'1.8.4-sec',
 ];
 
 function banner(txt, {borderColor = 'magenta', textColor = 'cyan'} = {borderColor: 'magenta',  textColor: 'cyan'}) {