mirror/syncthing
1
0
Fork 0
mirror of https://github.com/syncthing/syncthing.git synced 2026-05-09 07:33:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore(gui): upgrade jQuery to 3.7.1 to fix CVE-2020-11022, CVE-2020-11023, CVE-2015-9251 (#10673)

Browse Source 
## Summary

- Replace vendored `jquery-2.2.2.js` with `jquery-3.7.1.js` in
`gui/default/vendor/jquery/`
- Update script reference in `gui/default/index.html` to point to the
new file
- Update CDN reference in `cmd/infra/strelaypoolsrv/gui/index.html` from
`jquery-2.1.4.min.js` to `jquery-3.7.1.min.js`

## Why

The previously used jQuery versions (2.2.2 and 2.1.4) are vulnerable to
three known CVEs:

| CVE | Description | Fixed in |
|-----|-------------|----------|
| CVE-2015-9251 | XSS via cross-domain Ajax requests with non-text
content types | jQuery 3.0.0 |
| CVE-2020-11022 | XSS when passing HTML containing `<option>` elements
to manipulation methods | jQuery 3.5.0 |
| CVE-2020-11023 | XSS via passing HTML from untrusted sources to
manipulation methods | jQuery 3.5.0 |

jQuery 3.7.1 is the latest stable release and resolves all three.

## Compatibility notes

The GUI code was audited for jQuery 2→3 breaking changes. No removed
APIs are used:
- `.success()` / `.error()` calls throughout the codebase are
**AngularJS `$http`** promise methods, not jQuery — unaffected
- `.bind('beforeunload', ...)` is deprecated in jQuery 3 but not removed
— still works
- No usage of `.size()`, `.load()` event shorthand, `jQuery.isFunction`,
or `$.type()`

---------

Signed-off-by: Umer Azaz <umer_azaz@yahoo.com>
Co-authored-by: Jakob Borg <jakob@kastelo.net>
This commit is contained in:
Umer-Azaz
2026-05-09 15:30:18 +05:00
committed by GitHub
parent f538b47070
commit f3a9ee8ed6
4 changed files with 4729 additions and 3085 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/infra/strelaypoolsrv/gui/index.html
View File

@@ -193,7 +193,7 @@
</div>
<script type="text/javascript" src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
<script type="text/javascript" src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.8/angular.min.js"></script>
<script type="text/javascript" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
</body>

2
gui/default/index.html
View File

@@ -1051,7 +1051,7 @@
<ng-include src="'syncthing/device/shareDeviceIdDialogView.html'"></ng-include>
<!-- vendor scripts -->
<script type="text/javascript" src="vendor/jquery/jquery-2.2.2.js"></script>
<script type="text/javascript" src="vendor/jquery/jquery-3.7.1.js"></script>
<script type="text/javascript" src="vendor/angular/angular.js"></script>
<script type="text/javascript" src="vendor/angular/angular-sanitize.js"></script>
<script type="text/javascript" src="vendor/angular/angular-translate.js"></script>

1384
gui/default/vendor/bootstrap/js/bootstrap.js vendored
View File

File diff suppressed because it is too large Load Diff

6426
gui/default/vendor/jquery/jquery-2.2.2.js → gui/default/vendor/jquery/jquery-3.7.1.js vendored
View File

File diff suppressed because it is too large Load Diff