From 6978078ee5d90f94d6677ce896800695d2da7885 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Thu, 28 May 2020 16:00:57 +1000 Subject: [PATCH] Patch jQuery for CVE-2020-11022 and CVE-2020-11023 --- js/Common.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/js/Common.js b/js/Common.js index 47c6e48b18e0..05b037d7c8ae 100644 --- a/js/Common.js +++ b/js/Common.js @@ -1624,4 +1624,9 @@ if (!CRM.vars) CRM.vars = {}; } }); + // CVE-2020-11022 and CVE-2020-11023 Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. + $.htmlPrefilter = function(html) { + return html; + }; + })(jQuery, _);