search

prototypejs / prototype

Prototype JavaScript framework
http://prototypejs.org/
Other
3.53k stars 639 forks source link

CVE-2020-27511 #355

Open matteodelta opened 2 years ago

matteodelta commented 2 years ago

Last version of prototype is affected by vulnerability CVE-2020-27511

https://www.cvedetails.com/cve/CVE-2020-27511/

there will be an update to fix that problem? any other workaround?

Thanks

kressly commented 2 years ago

We really need an update to fix that problem or a work around

shuckster commented 2 years ago

From the link in CVE:

https://github.com/prototypejs/prototype/blob/dee2f7d8611248abce81287e1be4156011953c90/src/prototype/lang/string.js#L283

  • Caveat User
  • Note that the processing [[String#stripTags]] does is good enough for most
  • purposes, but you cannot rely on it for security purposes.
jwestbrook commented 2 years ago

349 actually has the fixes ready

madhusudhanreddyvade commented 2 years ago

Change stripTags function as below

function stripTags() { return this.replace(/<(?=(\w+))\1(\s+("[^"]"|'[^']'|[^>])+)?>|<\/(?=(\w+))\1>/gi, ''); }

Neustradamus commented 1 year ago

Important to solve it and create a new build!