From ec9c33a0aab9d134de33f5bc17a489b889c8acf7 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Fri, 29 Jan 2021 15:19:37 -0800 Subject: [PATCH] jsxc: Fix issues with jQuery >= 3.5.0 In testing and unstable, jQuery 3.5.1 is available. For security reasons, it removes expanding of HTML code that JSXC relies on. Restore that functionality as shown in jQuery Upgrade Guide. Tests performed: - Log in JSXC. Add a contact. In the contact list, the name of the contact is shown properly. - Clicking on the contact open a proper chat window. - Using to two user accounts add each other to contact lists and start conversation, the conversation show work properly. - Authenticating each other and performing a secure conversation should work properly. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/jsxc/static/jsxc-plinth.js | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/plinth/modules/jsxc/static/jsxc-plinth.js b/plinth/modules/jsxc/static/jsxc-plinth.js index cfbb9c14e..9654a98dd 100644 --- a/plinth/modules/jsxc/static/jsxc-plinth.js +++ b/plinth/modules/jsxc/static/jsxc-plinth.js @@ -43,6 +43,16 @@ # THE SOFTWARE. */ +// Provide compatibility with jQuery Core >= 3.5 by expanding HTML code similar +// to how it was done before jQuery Core < 3.5. This code was removed because it +// is potentially insecure when the HTML code being parsed is coming from the +// user input. See: https://jquery.com/upgrade-guide/3.5/ . JSXC >= 4.0 likely +// does not need this. +var rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi; +jQuery.htmlPrefilter = function(html) { + return html.replace(rxhtmlTag, "<$1>"); +}; + $(function() { const body = document.querySelector('body'); const root = body.getAttribute('data-jsxc-root'); @@ -93,12 +103,13 @@ $(function() { formElements.prop('disabled', true); $('.submit').hide(); $('.logout').show(); - } + }; + var logged_out_state = function() { formElements.prop('disabled', false); $('.submit').show(); $('.logout').hide(); - } + }; $(document).on('close.dialog.jsxc', function() { jsxc.debug('Event triggered close.dialog.jsxc');