Origin: https://git.drupalcode.org/project/drupal/-/commit/799a0ee7bc3765309b7da66f1c5097e7f61a4125
Forwarded: not-needed
From: Lauri Eskola, Chris, Drew Webber, Alex Bronstein, Ben Mullins, xjm, Théodore Biadala
Date: Wed Jan 19 01:23:19 PM CST
Subject: Fixes for SA-CORE-2022-1 and SA-CORE-2022-2
 Backported the diff between 7.85 and 7.86, applying it to the version in the
 old-stable Debian release (7.52)
 .
 Both SA-CORE-2022-1 and SA-CORE-2022-2 deal with cross-site scripting attacks
 derived from the use of jQuery 1.13.
Index: drupal7/misc/ui/jquery.ui.datepicker-1.13.0-backport.js
===================================================================
--- /dev/null
+++ drupal7/misc/ui/jquery.ui.datepicker-1.13.0-backport.js
@@ -0,0 +1,36 @@
+/**
+ * Backport of security fixes from:
+ * https://github.com/jquery/jquery-ui/pull/1953
+ * https://github.com/jquery/jquery-ui/pull/1954
+ */
+
+(function ($, Drupal) {
+
+  // No backport is needed if we're already on jQuery UI 1.13 or higher.
+  var versionParts = $.ui.datepicker.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+  if ( (majorVersion > 1) || (majorVersion === 1 && minorVersion >= 13) ) {
+    return;
+  }
+
+  var fnOriginalGet = $.datepicker._get;
+  $.extend($.datepicker, {
+
+    _get: function( inst, name ) {
+      var val = fnOriginalGet.call(this, inst, name);
+
+      // @see https://github.com/jquery/jquery-ui/pull/1954
+      if (name === 'altField') {
+        val = $(document).find(val);
+      }
+      // @see https://github.com/jquery/jquery-ui/pull/1953
+      else if ($.inArray(name, ['appendText', 'buttonText', 'prevText', 'currentText', 'nextText', 'closeText']) !== -1) {
+        val = Drupal.checkPlain(val);
+      }
+
+      return val;
+    }
+
+  })
+})(jQuery, Drupal);
Index: drupal7/misc/ui/jquery.ui.dialog-1.13.0-backport.js
===================================================================
--- /dev/null
+++ drupal7/misc/ui/jquery.ui.dialog-1.13.0-backport.js
@@ -0,0 +1,58 @@
+/**
+ * Backport of security fixes from:
+ * https://bugs.jqueryui.com/ticket/6016
+ * https://github.com/jquery/jquery-ui/pull/1635/files
+ */
+
+(function ($) {
+
+  // Parts of this backport differ by jQuery version.
+  var versionParts = $.ui.dialog.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+
+  if (majorVersion === 1 && minorVersion < 13) {
+    var _originalSetOption = $.ui.dialog.prototype._setOption;
+    var _originalCreateTitlebar = $.ui.dialog.prototype._createTitlebar;
+
+    $.extend($.ui.dialog.prototype, {
+
+      _createTitlebar: function () {
+        if (this.options.closeText) {
+          this.options.closeText = Drupal.checkPlain(this.options.closeText);
+        }
+        _originalCreateTitlebar.apply(this, arguments);
+      },
+
+      _setOption: function (key, value) {
+        if (key === 'title' || key == 'closeText') {
+          if (value) {
+            value = Drupal.checkPlain(value);
+          }
+        }
+        _originalSetOption.apply(this, [key, value]);
+      }
+    });
+
+    if (majorVersion === 1 && minorVersion < 10) {
+      var _originalCreate = $.ui.dialog.prototype._create;
+
+      $.extend($.ui.dialog.prototype, {
+
+        _create: function () {
+          if (!this.options.title) {
+            var defaultTitle = this.element.attr('title');
+            // .attr() might return a DOMElement
+            if (typeof defaultTitle !== "string") {
+              defaultTitle = "";
+            }
+            this.options.title = defaultTitle;
+          }
+          this.options.title = Drupal.checkPlain(this.options.title);
+          _originalCreate.apply(this, arguments);
+        },
+      });
+    }
+  }
+
+})(jQuery);
Index: drupal7/misc/ui/jquery.ui.position-1.13.0-backport.js
===================================================================
--- /dev/null
+++ drupal7/misc/ui/jquery.ui.position-1.13.0-backport.js
@@ -0,0 +1,30 @@
+/**
+ * Backport of security fix from:
+ * https://github.com/jquery/jquery-ui/pull/1955/files
+ */
+
+(function ($) {
+
+  // No backport is needed if we're already on jQuery UI 1.13 or higher.
+  var versionParts = $.ui.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+  if ( (majorVersion > 1) || (majorVersion === 1 && minorVersion >= 13) ) {
+    return;
+  }
+
+  var fnOriginalPosition = $.fn.position;
+  $.fn.extend({
+    'position': function (options) {
+
+      // Make sure string options are treated as CSS selectors
+      var target = typeof options.of === "string" ?
+        $(document).find(options.of) :
+        $(options.of);
+
+      options.of = (target[0] === undefined) ? null : target;
+      return fnOriginalPosition.call(this, options);
+    }
+  });
+
+})(jQuery);
Index: drupal7/modules/system/system.module
===================================================================
--- drupal7.orig/modules/system/system.module
+++ drupal7/modules/system/system.module
@@ -1324,6 +1324,7 @@ function system_library() {
     'version' => '1.8.7',
     'js' => array(
       'misc/ui/jquery.ui.datepicker.min.js' => array(),
+      'misc/ui/jquery.ui.datepicker-1.13.0-backport.js' => array(),
     ),
     'css' => array(
       'misc/ui/jquery.ui.datepicker.css' => array(),
@@ -1337,7 +1338,8 @@ function system_library() {
     'website' => 'http://jqueryui.com/demos/dialog/',
     'version' => '1.8.7',
     'js' => array(
-      'misc/ui/jquery.ui.dialog.min.js' => array(),
+      'misc/ui/jquery.ui.dialog.min.js' =>  array(),
+      'misc/ui/jquery.ui.dialog-1.13.0-backport.js' => array(),
     ),
     'css' => array(
       'misc/ui/jquery.ui.dialog.css' => array(),
@@ -1393,6 +1395,7 @@ function system_library() {
     'version' => '1.8.7',
     'js' => array(
       'misc/ui/jquery.ui.position.min.js' => array(),
+      'misc/ui/jquery.ui.position-1.13.0-backport.js' => array(),
     ),
   );
   $libraries['ui.progressbar'] = array(
