Manually apply JQuery fix for XSS bug (#9521) #711
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This addresses the XSS issue reported in JQuery bug #9521 and fixed in jquery/jquery@db9e023.
|
I can't make heads or tails of this patch, so I'm just going to bump jQuery to the latest |
zzak
pushed a commit
to ruby/rdoc
that referenced
this pull request
Sep 5, 2014
|
Thanks zzak (and sorry the patch didn't show up clearly). GitHub's diff doesn't like that the file is a single line and simply doesn't show the diff. The XSS fix boils down to a single character fix; from this: /^(?:[^<](<[\w\W]+>)[^>]$|#([\w-]*)$)/, to this: /^(?:[^#<](<[\w\W]+>)[^>]$|#([\w-]*)$)/, Notice there's just a # in the fixed one, sandwiched before the ^ and <. Upgrading JQuery to the latest 1.6.x is a better idea than patching. I believe the fix is in >= 1.6.2. |
Elffers
pushed a commit
to Elffers/rdoc
that referenced
this pull request
Sep 8, 2014
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this pull request
Jan 26, 2015
=== 4.2.0 / 2014-12-06
* Major enhancements
* RDoc can now produce translation files for use with gettext. See
RDoc::Generator::POT for a workflow for creating translations of your
documentation. Pull request #254 by Kouhei Sutou.
* Minor enhancements
* RDoc now allows any single-word macro before a C method implementation.
Issue #722 by Hanmac.
* Now :all is a synonym for :private for RDoc::Options#visibility= to match
the --all command line option. Pull request #276 by Zachary Scott.
* Running rake for the first time now installs racc. Pull request #285 by
Kouhei Sutou.
* Added <code>-h</code> flag to also display help. Issue #300 by Ryan Davis
* search_index.js is now loaded asynchronously for improved performance.
* Allow +X::Y+ as typewriter text. Issue #319, pull request #322 by Jeremy
Evans.
* Added RDoc::RI::Task for building ri data easily through rake. Pull
request #332 by Zachary Scott.
* A gzipped search index is generated for servers configured to use
precompressed files. Pull request #334 by Zachary Scott.
* CSS files now live under /css relative to the document root. Pull request
#335 by Zachary Scott.
* Improved detection of valid ruby in verbatim sections. Pull request #333
by Jeremy Evans.
* Bug fixes
* Fixed HTML labels for cross-browser compatibility. This breaks existing
links but enables cross-browser compatibility. Pull request #330 by Jens
Wille.
* RDoc handles ASCII-incompatible encodings now. An encoding hint may need
to be added to the file for RDoc to produce correct output, though.
Issue #288 by Manuel Meurer.
* Fixed height recalculation issues when headings are hovered. Issue #289
by Dietmar H. Büto.
* RDoc now ignores its own output directories. Pull Request #306 by
Hsing-Hui Hsu, bug #305 by Ryan Davis.
* Fixed RDoc::Task no longer uselessly builds documentation when generating
non-HTML output. Bug #307 by Christina Thompson, pull request #308 by
Hsing-Hui Hsu
* Added pointer to font copyright and license information to LEGAL.rdoc.
Issue #290 by Christian Hofstaedtler.
* Fixed RDoc::Context#<=> for ruby trunk. Issue #284 by Hanmac, pull
request #287 by Aaron Patterson
* Tests no longer create directories inside test/. Pull request #286 by
Kouhei Sutou.
* Fixed documentation example in RDoc::Markup. Pull request #292 by Gregory
Brown.
* Applied typo fix to RDoc::Markup. Pull request #297 by @montanalow
* Fixed pretty_print for RDoc::MethodAttr with an alias. Pull request #324
by Hsing-Hui Hsu.
* Fixed lexing of %w"". Issue #315 by Thierry Lambert, pull request #323 by
Jeremy Evans.
* RDoc::TokenStream now removes nil tokens. Pull request #318 by Calle
Erlandsson.
* Fixed footer links to rubyforge and darkfish. Pull request #328 by
@blackwinter
* Fixed page-top link. Pull request #329 by @blackwinter
* Minitest gem activation failures are now ignored during test startup.
Issue #313 by Vít Ondruch.
* Fixed error when generating documentation from singleton classes. Issue
#311 by Vít Ondruch.
* Splat and keyword params can now be detected for documentation
completeness. Issue #321 Tom Kadwill.
* Standalone anchors in markdown documents are no longer escaped. Issue
#312 by Scott Thompson.
* Fixed RegExp matching stack overflow on Ruby 1.8.7. Issue #327 by sshao.
=== 4.1.2 / 2014-09-05
* Bug fixes
* Updated vendored jQuery to 1.6.4. Bug ruby/ruby#711 by @neuralme
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses the XSS issue reported in JQuery bug #9521 and fixed in jquery/jquery@db9e023.
I noticed the copy of JQuery in the RDoc generator contains a known XSS security vulnerability that was fixed in JQuery mainline. It's a single character fix so rather than updating to the newest version of JQuery, it's easy enough just to patch the code to eliminate the. Simple enough but if you prefer a discussion on ruby-dev, I am happy to initiate it.