Patch XSS security vulnerability #1
Conversation
t-reedy
force-pushed
the
security-vulnerability
branch
from
d6e0902 to
bc1d586
Compare
t-reedy
force-pushed
the
security-vulnerability
branch
from
bc1d586 to
bb20f98
Compare
|
|
||
| // generates dropdown from select values | ||
| dropdown: function(select) { | ||
| var | ||
| placeholder = select.placeholder || false, | ||
| values = select.values || {}, | ||
| html = '' | ||
| values = select.values || [], |
There was a problem hiding this comment.
Why did the default value change from an object to an array?
There was a problem hiding this comment.
It looks like a bug fix, previously var values was set but never used because it looped directly over select.values instead: https://github.com/stqry/Semantic-UI-CSS/pull/1/files#diff-449ac400a1bf6f602a60c591e25d914d36f949eecfc9fd282cb19a3e803e91cfL3845.
This change is taken from https://github.com/fomantic/Fomantic-UI/pull/298/files#diff-5ee8757d7a7e983335e14411dcc4f6dda835d6132a1e7f12ce38b2a6c7215493R4031. I assume changing the default was just a minor refactor, either way the result should be the same because it's only looped by the $.each, and the array or object is empty so nothing happens.
|
|
@greendrake Could you please manually test this one? I think you'll do a much more thorough test than I could. Testing can wait till it's on d1tix if you like. |
|
@BevanR I trust that Therese has tested it properly, so let's get it to D1tix for final verification. The test itself is plain simple and can't be "thorough" in principle: you just paste a |
The vulnerability is described here: https://security.snyk.io/vuln/SNYK-JS-SEMANTICUI-174699.
There is no fix for this in the main Semantic UI repo, so this fix is inspired by the fix from Fomantic UI: fomantic/Fomantic-UI#298.
We can choose to merge this into this repository or not - this fix is included in the PR to move Semantic UI into the main repo: https://github.com/stqry/ticketing-cms/pull/533