diff --git a/disable-gzip-js.patch b/disable-gzip-js.patch new file mode 100644 index 0000000000000000000000000000000000000000..9bf8ecdf24c6292e9edbebe01c834b4364eb4389 --- /dev/null +++ b/disable-gzip-js.patch @@ -0,0 +1,11 @@ +diff --git a/Gruntfile.js b/Gruntfile.js +--- a/Gruntfile.js ++++ b/Gruntfile.js +@@ -13,7 +13,6 @@ module.exports = function( grunt ) { + + var fs = require( "fs" ), + stripJSONComments = require( "strip-json-comments" ), +- gzip = require( "gzip-js" ), + srcHintOptions = readOptionalJSON( "src/.jshintrc" ), + newNode = !/^v0/.test( process.version ), + diff --git a/jquery-2.2.4.tar.gz b/jquery-2.2.4.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..486609892e72733ad65dcc3d7827b2a5a67bf7f0 Binary files /dev/null and b/jquery-2.2.4.tar.gz differ diff --git a/js-jquery2.spec b/js-jquery2.spec new file mode 100644 index 0000000000000000000000000000000000000000..31b24ae01ef702f11a81ae65a6b1089a7641d097 --- /dev/null +++ b/js-jquery2.spec @@ -0,0 +1,55 @@ +Name: js-jquery2 +Version: 2.2.4 +Release: 1 +Summary: JavaScript DOM manipulation, event handling, and AJAX library +BuildArch: noarch +%global ver_x %(echo %{version} | cut -d. -f1) +%global ver_y %(echo %{version} | cut -d. -f2) +%global ver_z %(echo %{version} | cut -d. -f3) +License: MIT +URL: https://jquery.com/ +Source0: https://github.com/jquery/jquery/archive/%{version}/jquery-%{version}.tar.gz +Patch0: disable-gzip-js.patch +Patch1: xss-fix-b078a62.patch +BuildRequires: web-assets-devel nodejs-packaging js-sizzle-static +Provides: jquery = %{version}-%{release} +Provides: %{name}-static = %{version}-%{release} +BuildRequires: nodejs-grunt >= 0.4.4-3 npm(shelljs) npm(grunt-cli) npm(grunt-contrib-uglify) +BuildRequires: npm(load-grunt-tasks) npm(requirejs) nodejs-strip-json-comments +Requires: web-assets-filesystem +Obsoletes: js-jquery < 3 +%description +jQuery is a fast, small, and feature-rich JavaScript library. It makes things +like HTML document traversal and manipulation, event handling, animation, and +Ajax much simpler with an easy-to-use API that works across a multitude of +browsers. With a combination of versatility and extensibility, jQuery has +changed the way that millions of people write JavaScript. + +%prep +%setup -qn jquery-%{version} +%patch0 -p1 +%patch1 -p1 +rm -rf dist/* src/sizzle +install -Dp %{_jsdir}/sizzle/latest/sizzle.js src/sizzle/dist/sizzle.js + +%build +%nodejs_symlink_deps --build +grunt -v 'build:*:*' uglify + +%install +%global installdir %{buildroot}%{_jsdir}/jquery +mkdir -p %{installdir}/%{version} +cp -p dist/* %{installdir}/%{version} +mkdir -p %{buildroot}%{_webassetdir} +ln -s ../javascript/jquery %{buildroot}%{_webassetdir}/jquery +ln -s %{version} %{installdir}/%{ver_x} +ln -s %{version} %{installdir}/%{ver_x}.%{ver_y} + +%files +%{_jsdir}/jquery +%{_webassetdir}/jquery +%doc AUTHORS.txt CONTRIBUTING.md LICENSE.txt README.md + +%changelog +* Sat Aug 22 2020 wangchong - 2.2.4-1 +- package init diff --git a/js-jquery2.yaml b/js-jquery2.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2e227d9107c7fcbbd4938ffa9afd944cc8a0c669 --- /dev/null +++ b/js-jquery2.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: jquery/jquery +tag_prefix: "^" +seperator: "." diff --git a/xss-fix-b078a62.patch b/xss-fix-b078a62.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f730c1665114abe819d6cebaf4d1a0bdd8b7cb2 --- /dev/null +++ b/xss-fix-b078a62.patch @@ -0,0 +1,91 @@ +From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001 +From: Oleg Gaidarenko +Date: Thu, 10 Sep 2015 13:40:00 +0300 +Subject: [PATCH] Ajax: Mitigate possible XSS vulnerability + +Proposed by @jaubourg + +Fixes gh-2432 +Closes gh-2588 +--- + src/ajax/script.js | 7 +++++++ + test/unit/ajax.js | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 0 deletion(-) + +diff --git a/src/ajax/script.js b/src/ajax/script.js +index 60b1fb6..0ec27b4 100644 +--- a/src/ajax/script.js ++++ b/src/ajax/script.js +@@ -4,6 +4,13 @@ define( [ + "../ajax" + ], function( jQuery, document ) { + ++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) ++jQuery.ajaxPrefilter( function( s ) { ++ if ( s.crossDomain ) { ++ s.contents.script = false; ++ } ++} ); ++ + // Install script dataType + jQuery.ajaxSetup( { + accepts: { +diff --git a/test/unit/ajax.js b/test/unit/ajax.js +index 14fe0be..6479587 100644 +--- a/test/unit/ajax.js ++++ b/test/unit/ajax.js +@@ -71,6 +71,54 @@ QUnit.module( "ajax", { + }; + } ); + ++ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { ++ return { ++ create: function( options ) { ++ options.crossDomain = true; ++ return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); ++ }, ++ success: function() { ++ assert.ok( true, "success" ); ++ }, ++ complete: function() { ++ assert.ok( true, "complete" ); ++ } ++ }; ++ } ); ++ ++ ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, ++ function( assert ) { ++ return { ++ create: function( options ) { ++ options.crossDomain = true; ++ options.dataType = "script"; ++ return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); ++ }, ++ success: function() { ++ assert.ok( true, "success" ); ++ }, ++ complete: function() { ++ assert.ok( true, "complete" ); ++ } ++ }; ++ } ++ ); ++ ++ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { ++ return { ++ create: function( options ) { ++ options.crossDomain = true; ++ return jQuery.ajax( url( "data/script.php" ), options ); ++ }, ++ success: function() { ++ assert.ok( true, "success" ); ++ }, ++ complete: function() { ++ assert.ok( true, "complete" ); ++ } ++ }; ++ } ); ++ + ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { + return { + setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),