MAGETWO-93724: [Backport for 2.1.x] jQuery is old and causing PCI scanning failures

Author: omiroshnichenko

app/code/Magento/Theme/view/base/requirejs-config.js

@@ -56,6 +56,9 @@ var config = {
         "mixins": {
             "jquery/jstree/jquery.jstree": {
                 "mage/backend/jstree-mixin": true
+            },
+            'jquery': {
+                'jquery/patches/jquery': true
             }
         }
     }

app/code/Magento/Theme/view/frontend/requirejs-config.js

@@ -40,5 +40,12 @@ var config = {
         "mage/dataPost",
         "js/theme",
         "mage/bootstrap"
-    ]
+    ],
+    config: {
+        mixins: {
+            'jquery/jquery-ui': {
+                'jquery/patches/jquery-ui': true
+            }
+        }
+    }
 };

lib/web/jquery/patches/jquery-ui.js

@@ -0,0 +1,46 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery'
+], function ($) {
+    'use strict';
+
+    /**
+     * Patch for CVE-2016-7103 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 1.12.x.
+     * https://www.cvedetails.com/cve/CVE-2016-7103/
+     */
+    function dialogPatch() {
+        $.widget('ui.dialog', $.ui.dialog, {
+            /** @inheritdoc */
+            _createTitlebar: function () {
+                this.options.closeText = $('<a>').text('' + this.options.closeText).html();
+
+                this._superApply();
+            },
+
+            /** @inheritdoc */
+            _setOption: function (key, value) {
+                if (key === 'closeText') {
+                    value = $('<a>').text('' + value).html();
+                }
+
+                this._super(key, value);
+            }
+        });
+    }
+
+    return function () {
+        var majorVersion = $.ui.version.split('.')[0],
+            minorVersion = $.ui.version.split('.')[1];
+
+        if (majorVersion === 1 && minorVersion >= 12 || majorVersion >= 2) {
+            console.warn('jQuery patch for CVE-2016-7103 is no longer necessary, and should be removed');
+        }
+
+        dialogPatch();
+    };
+});

lib/web/jquery/patches/jquery.js

@@ -0,0 +1,35 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([], function () {
+    'use strict';
+
+    /**
+     * Patch for CVE-2015-9251 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 3.3.x.
+     * https://www.cvedetails.com/cve/CVE-2015-9251/
+     */
+    function ajaxResponsePatch(jQuery) {
+        jQuery.ajaxPrefilter(function (s) {
+            if (s.crossDomain) {
+                s.contents.script = false;
+            }
+        });
+    }
+
+    return function ($) {
+        var majorVersion = $.fn.jquery.split('.')[0];
+
+        $.noConflict();
+
+        if (majorVersion >= 3) {
+            console.warn('jQuery patch for CVE-2015-9251 is no longer necessary, and should be removed');
+        }
+
+        ajaxResponsePatch($);
+
+        return $;
+    };
+});

lib/web/mage/translate-inline.js

@@ -158,33 +158,5 @@
         }
     });
 
-    $.widget('ui.button', $.ui.button, {
-        _create: function () {
-            this._super();
-            /**
-             * Decode HTML entities to prevent incorrect rendering of dialog button label
-             */
-            this.options.label = this.options.label
-                ? jQuery('<div/>').html(this.options.label).text()
-                : this.options.label;
-            /**
-             * Reset button to make decoded label visible
-             */
-            this._resetButton();
-        }
-    });
-
-    $.widget('ui.dialog', $.ui.dialog, {
-        /**
-         * Prevent rendering of dialog title as escaped HTML
-         */
-        _title: function (title) {
-            this._super(title);
-            if (this.options.title) {
-                title.html(this.options.title);
-            }
-        }
-    });
-
     return $.mage.translateInline;
 }));