Prototype CVE - update prototype.js#429
Conversation
Prototype isn't maintained, but the CVE can be resolved. Taken from: prototypejs/prototype#349
Change Version string
|
It should be noted that EPrints 3.5 will remove Prototype JS, as it is now possible to carry out all its EPrints actions that requires it for using generic JavaScript. |
drn05r
left a comment
drn05r
left a comment
There was a problem hiding this comment.
I can see how this change should also incorporate HTML tags that do not have matched quotes marks. However, I am a little puzzled why the regex is not:
this.replace(/<\w+(\s+("[^"]"|'[^']'|[^>'"])+)?\s*("[^">]*|'[^'>]*)?(/)?>|</\w+>/gi, '');
As otherwise it looks like it would match <h1 style="color: red> but not <h1 style='color: red> .
|
I agree that the |
drn05r
left a comment
drn05r
left a comment
There was a problem hiding this comment.
This regexp looks good to me now.
2 participants
Prototype is not being developed/released any more, but there is a fix for the CVE detailed in: prototypejs/prototype#349
I don't think that this CVE is 'dangerous' in relation to the regular EPrints codebase, but it does get flagged by scanning services.
The version string
1.7.3.1-eprintshas been invented for our purposes. It is used by prototype when constructing XMLHttpRequest headers.NB There are also other things that were committed to the prototype master branch since the 1.7.3 release, but I don't think it's worth doing anything with these, as EPrints will not rely on Prototype in the future.