Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-27511 #355

Open
matteodelta opened this issue Jan 14, 2022 · 5 comments
Open

CVE-2020-27511 #355

matteodelta opened this issue Jan 14, 2022 · 5 comments

Comments

@matteodelta
Copy link

Last version of prototype is affected by vulnerability CVE-2020-27511

https://www.cvedetails.com/cve/CVE-2020-27511/

there will be an update to fix that problem? any other workaround?

Thanks
@kressly
Copy link

kressly commented Jan 14, 2022

We really need an update to fix that problem or a work around

@shuckster
Copy link

From the link in CVE:

prototype/src/prototype/lang/string.js

Line 283 in dee2f7d

return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>])+)?(\/)?>|<\/\w+>/gi, '');

  • Caveat User
  • Note that the processing [[String#stripTags]] does is good enough for most
  • purposes, but you cannot rely on it for security purposes.

@jwestbrook
Copy link
Collaborator

#349 actually has the fixes ready

@madhusudhanreddyvade
Copy link

Change stripTags function as below

function stripTags() {
return this.replace(/<(?=(\w+))\1(\s+("[^"]"|'[^']'|[^>])+)?>|</(?=(\w+))\1>/gi, '');
}

@ADDISON74 ADDISON74 mentioned this issue Oct 3, 2022
Closed
@Neustradamus
Copy link

Important to solve it and create a new build!

This was referenced Feb 1, 2023
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Neustradamus @shuckster @kressly @jwestbrook @matteodelta @madhusudhanreddyvade