From 8c4da23c5f10f727f24fa4f2e9684b565ebb0fe1 Mon Sep 17 00:00:00 2001
From: Jen Lampton <jen@jenerationweb.com>
Date: Mon, 15 Jan 2024 17:11:50 -0800
Subject: [PATCH] Issue #6417: Security hardening for jQuery form library.

By @jenlampton, @klonos, @olafgrabienski, and @quicksketch.

With code by Drupal.org users effulgentsia and pandaski.
---
 core/misc/ajax.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/core/misc/ajax.js b/core/misc/ajax.js
index 46d4785adc3..e06098afab1 100644
--- a/core/misc/ajax.js
+++ b/core/misc/ajax.js
@@ -367,6 +367,20 @@ Backdrop.ajax.prototype.beforeSerialize = function (element, options) {
   if (this.form) {
     var settings = this.settings || Backdrop.settings;
     Backdrop.detachBehaviors(this.form, settings, 'serialize');
+
+    // Ensure Backdrop isn't vulnerable to the bugs disclosed in the unmerged
+    // pull request: https://github.com/jquery-form/form/pull/586.
+    // - Under normal circumstances, the first if statement doesn't evaluate
+    //   to true, because options.dataType is initialized in the Drupal.ajax()
+    //   constructor.
+    // - Under normal circumstances, the second if statement doesn't evaluate
+    //   to true, because $.parseJSON is initialized by jQuery.
+    if (!options.dataType && options.target) {
+      delete options.target;
+    }
+    if (!$.parseJSON) {
+      $.parseJSON = JSON.parse;
+    }
   }
 
   // Prevent duplicate HTML ids in the returned markup.