Commit ab1f34f8 authored by dsnopek's avatar dsnopek Committed by dsnopek

Issue #2946582 by dsnopek: [core] Add D6LTS patch for SA-CORE-2018-001

parent afd532eb
diff --git a/includes/common.inc b/includes/common.inc
index 9a28c06..a5c362d 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1499,7 +1499,7 @@ function url($path = NULL, $options = array()) {
);
if (!isset($options['external'])) {
- $options['external'] = menu_path_is_external($path);
+ $options['external'] = $_GET['q'] === $path ? FALSE : menu_path_is_external($path);
}
// May need language dependent rewriting if language.inc is present.
diff --git a/misc/drupal.js b/misc/drupal.js
index a85b8f8..f60eb0c 100644
--- a/misc/drupal.js
+++ b/misc/drupal.js
@@ -20,6 +20,42 @@
return jquery_init.call(this, selector, context, rootjQuery);
};
jQuery.fn.init.prototype = jquery_init.prototype;
+
+ /**
+ * Pre-filter Ajax requests to guard against XSS attacks.
+ *
+ * See https://github.com/jquery/jquery/issues/2432
+ */
+ if ($.ajaxPrefilter) {
+ // For newer versions of jQuery, use an Ajax prefilter to prevent
+ // auto-executing script tags from untrusted domains. This is similar to the
+ // fix that is built in to jQuery 3.0 and higher.
+ $.ajaxPrefilter(function (s) {
+ if (s.crossDomain) {
+ s.contents.script = false;
+ }
+ });
+ }
+ else if ($.httpData) {
+ // For the version of jQuery that ships with Drupal core, override
+ // jQuery.httpData to prevent auto-detecting "script" data types from
+ // untrusted domains.
+ var jquery_httpData = $.httpData;
+ $.httpData = function (xhr, type, s) {
+ // @todo Consider backporting code from newer jQuery versions to check for
+ // a cross-domain request here, rather than using Drupal.urlIsLocal() to
+ // block scripts from all URLs that are not on the same site.
+ if (!type && !Drupal.urlIsLocal(s.url)) {
+ var content_type = xhr.getResponseHeader('content-type') || '';
+ if (content_type.indexOf('javascript') >= 0) {
+ // Default to a safe data type.
+ type = 'text';
+ }
+ }
+ return jquery_httpData.call(this, xhr, type, s);
+ };
+ $.httpData.prototype = jquery_httpData.prototype;
+ }
})();
var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} };
@@ -71,7 +107,7 @@ Drupal.attachBehaviors = function(context) {
*/
Drupal.checkPlain = function(str) {
str = String(str);
- var replace = { '&': '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' };
+ var replace = { '&': '&amp;', "'": '&#39;', '"': '&quot;', '<': '&lt;', '>': '&gt;' };
for (var character in replace) {
var regex = new RegExp(character, 'g');
str = str.replace(regex, replace[character]);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment