Issue #6417: Security hardening for jQuery form library.

By @jenlampton, @klonos, @olafgrabienski, and @quicksketch. With code by Drupal.org users effulgentsia and pandaski.
kiamlaluno · Mar 8, 2024 · 8c4da23 · 8c4da23
1 parent 9490ad3
commit 8c4da23
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/core/misc/ajax.js b/core/misc/ajax.js
@@ -367,6 +367,20 @@ Backdrop.ajax.prototype.beforeSerialize = function (element, options) {
   if (this.form) {
     var settings = this.settings || Backdrop.settings;
     Backdrop.detachBehaviors(this.form, settings, 'serialize');
+
+    // Ensure Backdrop isn't vulnerable to the bugs disclosed in the unmerged
+    // pull request: https://github.com/jquery-form/form/pull/586.
+    // - Under normal circumstances, the first if statement doesn't evaluate
+    //   to true, because options.dataType is initialized in the Drupal.ajax()
+    //   constructor.
+    // - Under normal circumstances, the second if statement doesn't evaluate
+    //   to true, because $.parseJSON is initialized by jQuery.
+    if (!options.dataType && options.target) {
+      delete options.target;
+    }
+    if (!$.parseJSON) {
+      $.parseJSON = JSON.parse;
+    }
   }
 
   // Prevent duplicate HTML ids in the returned markup.