Merge pull request #3187 from magento-trigger/PR-2.2.7

[Trigger] Bugfixes

Author: okolesnyk

app/code/Magento/Theme/view/base/requirejs-config.js

@@ -56,6 +56,9 @@ var config = {
         'mixins': {
             'jquery/jstree/jquery.jstree': {
                 'mage/backend/jstree-mixin': true
+            },
+            'jquery': {
+                'jquery/patches/jquery': true
             }
         },
         'text': {
@@ -65,9 +68,3 @@ var config = {
         }
     }
 };
-
-require(['jquery'], function ($) {
-    'use strict';
-
-    $.noConflict();
-});

app/code/Magento/Theme/view/frontend/requirejs-config.js

@@ -44,6 +44,9 @@ var config = {
         mixins: {
             'Magento_Theme/js/view/breadcrumbs': {
                 'Magento_Theme/js/view/add-home-breadcrumb': true
+            },
+            'jquery/jquery-ui': {
+                'jquery/patches/jquery-ui': true
             }
         }
     }

lib/web/jquery/patches/jquery-ui.js

@@ -0,0 +1,46 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery'
+], function ($) {
+    'use strict';
+
+    /**
+     * Patch for CVE-2016-7103 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 1.12.x.
+     * https://www.cvedetails.com/cve/CVE-2016-7103/
+     */
+    function dialogPatch() {
+        $.widget('ui.dialog', $.ui.dialog, {
+            /** @inheritdoc */
+            _createTitlebar: function () {
+                this.options.closeText = $('<a>').text('' + this.options.closeText).html();
+
+                this._superApply();
+            },
+
+            /** @inheritdoc */
+            _setOption: function (key, value) {
+                if (key === 'closeText') {
+                    value = $('<a>').text('' + value).html();
+                }
+
+                this._super(key, value);
+            }
+        });
+    }
+
+    return function () {
+        var majorVersion = $.ui.version.split('.')[0],
+            minorVersion = $.ui.version.split('.')[1];
+
+        if (majorVersion === 1 && minorVersion >= 12 || majorVersion >= 2) {
+            console.warn('jQuery patch for CVE-2016-7103 is no longer necessary, and should be removed');
+        }
+
+        dialogPatch();
+    };
+});

lib/web/jquery/patches/jquery.js

@@ -0,0 +1,35 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([], function () {
+    'use strict';
+
+    /**
+     * Patch for CVE-2015-9251 (XSS vulnerability).
+     * Can safely remove only when jQuery UI is upgraded to >= 3.3.x.
+     * https://www.cvedetails.com/cve/CVE-2015-9251/
+     */
+    function ajaxResponsePatch(jQuery) {
+        jQuery.ajaxPrefilter(function (s) {
+            if (s.crossDomain) {
+                s.contents.script = false;
+            }
+        });
+    }
+
+    return function ($) {
+        var majorVersion = $.fn.jquery.split('.')[0];
+
+        $.noConflict();
+
+        if (majorVersion >= 3) {
+            console.warn('jQuery patch for CVE-2015-9251 is no longer necessary, and should be removed');
+        }
+
+        ajaxResponsePatch(jQuery);
+
+        return jQuery;
+    };
+});

lib/web/mage/translate-inline.js

@@ -200,32 +200,5 @@
         }
     });
 
-    $.widget('ui.button', $.ui.button, {
-        /**
-         * @private
-         */
-        _create: function () {
-            this._super();
-            // Decode HTML entities to prevent incorrect rendering of dialog button label
-            this.options.label = this.options.label ?
-                jQuery('<div/>').html(this.options.label).text() : this.options.label;
-            //Reset button to make decoded label visible
-            this._resetButton();
-        }
-    });
-
-    $.widget('ui.dialog', $.ui.dialog, {
-        /**
-         * Prevent rendering of dialog title as escaped HTML
-         */
-        _title: function (title) {
-            this._super(title);
-
-            if (this.options.title) {
-                title.html(this.options.title);
-            }
-        }
-    });
-
     return $.mage.translateInline;
 }));

pub/static/.htaccess

@@ -22,6 +22,11 @@ Options -MultiViews
     RewriteCond %{REQUEST_FILENAME} !-l
 
     RewriteRule .* ../static.php?resource=$0 [L]
+    # Detects if moxieplayer request with uri params and redirects to uri without params
+    <Files moxieplayer.swf>
+        RewriteCond %{QUERY_STRING} !^$
+        RewriteRule ^(.*)$ %{REQUEST_URI}? [R=301,L]
+    </Files>
 </IfModule>
 
 ############################################