!7 Fix CVE-2021-41183

From: @huangtianhua Reviewed-by: @xiyuanwang Signed-off-by: @xiyuanwang
2022-05-23 11:03:52 +00:00 · 2022-05-23 11:03:52 +00:00 · 84a655832e
commit 84a655832e
parent 6e33e23f7d b6ef191f20
2 changed files with 186 additions and 2 deletions
--- a/0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
+++ b/0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
@ -0,0 +1,180 @@
 diff --git a/xstatic/pkg/jquery_ui/data/jquery-ui.js b/xstatic/pkg/jquery_ui/data/jquery-ui.js
 index 264329f..531b3bd 100644
 --- a/xstatic/pkg/jquery_ui/data/jquery-ui.js
 +++ b/xstatic/pkg/jquery_ui/data/jquery-ui.js
@@ -9801,7 +9801,9 @@ $.extend( Datepicker.prototype, {
 			inst.append.remove();
 		}
 		if ( appendText ) {
 -			inst.append = $( "<span class='" + this._appendClass + "'>" + appendText + "</span>" );
 +			inst.append = $( "<span>" )
 +				.addClass( this._appendClass )
 +				.text( appendText );
 			input[ isRTL ? "before" : "after" ]( inst.append );
 		}
@@ -9818,12 +9820,32 @@ $.extend( Datepicker.prototype, {
 		if ( showOn === "button" || showOn === "both" ) { // pop-up date picker when button clicked
 			buttonText = this._get( inst, "buttonText" );
 			buttonImage = this._get( inst, "buttonImage" );
 -			inst.trigger = $( this._get( inst, "buttonImageOnly" ) ?
 -				$( "<img/>" ).addClass( this._triggerClass ).
 -					attr( { src: buttonImage, alt: buttonText, title: buttonText } ) :
 -				$( "<button type='button'></button>" ).addClass( this._triggerClass ).
 -					html( !buttonImage ? buttonText : $( "<img/>" ).attr(
 -					{ src:buttonImage, alt:buttonText, title:buttonText } ) ) );
 +
 +			if ( this._get( inst, "buttonImageOnly" ) ) {
 +				inst.trigger = $( "<img>" )
 +					.addClass( this._triggerClass )
 +					.attr( {
 +						src: buttonImage,
 +						alt: buttonText,
 +						title: buttonText
 +					} );
 +			} else {
 +				inst.trigger = $( "<button type='button'>" )
 +					.addClass( this._triggerClass );
 +				if ( buttonImage ) {
 +					inst.trigger.html(
 +						$( "<img>" )
 +							.attr( {
 +								src: buttonImage,
 +								alt: buttonText,
 +								title: buttonText
 +							} )
 +					);
 +				} else {
 +					inst.trigger.text( buttonText );
 +				}
 +			}
 +
 			input[ isRTL ? "before" : "after" ]( inst.trigger );
 			inst.trigger.on( "click", function() {
 				if ( $.datepicker._datepickerShowing && $.datepicker._lastInput === input[ 0 ] ) {
@@ -11265,32 +11287,104 @@ $.extend( Datepicker.prototype, {
 			this._daylightSavingAdjust( new Date( drawYear, drawMonth - stepMonths, 1 ) ),
 			this._getFormatConfig( inst ) ) );
 -		prev = ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ?
 -			"<a class='ui-datepicker-prev ui-corner-all' data-handler='prev' data-event='click'" +
 -			" title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" :
 -			( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-prev ui-corner-all ui-state-disabled' title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" ) );
 +		if ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ) {
 +			prev = $( "<a>" )
 +				.attr( {
 +					"class": "ui-datepicker-prev ui-corner-all",
 +					"data-handler": "prev",
 +					"data-event": "click",
 +					title: prevText
 +				} )
 +				.append(
 +					$( "<span>" )
 +						.addClass( "ui-icon ui-icon-circle-triangle-" +
 +							( isRTL ? "e" : "w" ) )
 +						.text( prevText )
 +				)[ 0 ].outerHTML;
 +		} else if ( hideIfNoPrevNext ) {
 +			prev = "";
 +		} else {
 +			prev = $( "<a>" )
 +				.attr( {
 +					"class": "ui-datepicker-prev ui-corner-all ui-state-disabled",
 +					title: prevText
 +				} )
 +				.append(
 +					$( "<span>" )
 +						.addClass( "ui-icon ui-icon-circle-triangle-" +
 +							( isRTL ? "e" : "w" ) )
 +						.text( prevText )
 +				)[ 0 ].outerHTML;
 +		}
 		nextText = this._get( inst, "nextText" );
 		nextText = ( !navigationAsDateFormat ? nextText : this.formatDate( nextText,
 			this._daylightSavingAdjust( new Date( drawYear, drawMonth + stepMonths, 1 ) ),
 			this._getFormatConfig( inst ) ) );
 -		next = ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ?
 -			"<a class='ui-datepicker-next ui-corner-all' data-handler='next' data-event='click'" +
 -			" title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" :
 -			( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-next ui-corner-all ui-state-disabled' title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" ) );
 +		if ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ) {
 +			next = $( "<a>" )
 +				.attr( {
 +					"class": "ui-datepicker-next ui-corner-all",
 +					"data-handler": "next",
 +					"data-event": "click",
 +					title: nextText
 +				} )
 +				.append(
 +					$( "<span>" )
 +						.addClass( "ui-icon ui-icon-circle-triangle-" +
 +							( isRTL ? "w" : "e" ) )
 +						.text( nextText )
 +				)[ 0 ].outerHTML;
 +		} else if ( hideIfNoPrevNext ) {
 +			next = "";
 +		} else {
 +			next = $( "<a>" )
 +				.attr( {
 +					"class": "ui-datepicker-next ui-corner-all ui-state-disabled",
 +					title: nextText
 +				} )
 +				.append(
 +					$( "<span>" )
 +						.attr( "class", "ui-icon ui-icon-circle-triangle-" +
 +							( isRTL ? "w" : "e" ) )
 +						.text( nextText )
 +				)[ 0 ].outerHTML;
 +		}
 		currentText = this._get( inst, "currentText" );
 		gotoDate = ( this._get( inst, "gotoCurrent" ) && inst.currentDay ? currentDate : today );
 		currentText = ( !navigationAsDateFormat ? currentText :
 			this.formatDate( currentText, gotoDate, this._getFormatConfig( inst ) ) );
 -		controls = ( !inst.inline ? "<button type='button' class='ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all' data-handler='hide' data-event='click'>" +
 -			this._get( inst, "closeText" ) + "</button>" : "" );
 -
 -		buttonPanel = ( showButtonPanel ) ? "<div class='ui-datepicker-buttonpane ui-widget-content'>" + ( isRTL ? controls : "" ) +
 -			( this._isInRange( inst, gotoDate ) ? "<button type='button' class='ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all' data-handler='today' data-event='click'" +
 -			">" + currentText + "</button>" : "" ) + ( isRTL ? "" : controls ) + "</div>" : "";
 +			controls = "";
 +			if ( !inst.inline ) {
 +				controls = $( "<button>" )
 +					.attr( {
 +						type: "button",
 +						"class": "ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all",
 +						"data-handler": "hide",
 +						"data-event": "click"
 +					} )
 +					.text( this._get( inst, "closeText" ) )[ 0 ].outerHTML;
 +			}
 +
 +			buttonPanel = "";
 +			if ( showButtonPanel ) {
 +				buttonPanel = $( "<div class='ui-datepicker-buttonpane ui-widget-content'>" )
 +					.append( isRTL ? controls : "" )
 +					.append( this._isInRange( inst, gotoDate ) ?
 +						$( "<button>" )
 +							.attr( {
 +								type: "button",
 +								"class": "ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all",
 +								"data-handler": "today",
 +								"data-event": "click"
 +							} )
 +							.text( currentText ) :
 +						"" )
 +					.append( isRTL ? "" : controls )[ 0 ].outerHTML;
 +			}
 		firstDay = parseInt( this._get( inst, "firstDay" ), 10 );
 		firstDay = ( isNaN( firstDay ) ? 0 : firstDay );
@@ -18703,4 +18797,4 @@ var effectsEffectTransfer = effect;
 -}));
 \ No newline at end of file
 +}));
--- a/python-XStatic-jquery-ui.spec
+++ b/python-XStatic-jquery-ui.spec
@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-XStatic-jquery-ui
 Version:	1.12.1.1
-Release:	1
+Release:	2
 Summary:	jquery-ui 1.12.1 (XStatic packaging standard)
 License:	MIT
 URL:		https://jqueryui.com/
 Source0:	https://files.pythonhosted.org/packages/e6/5a/883b22dad1d3e01708312d71c5bc63d543d66cef9b448c1cf85379d64fb3/XStatic-jquery-ui-1.12.1.1.tar.gz
 Patch0:         0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
 BuildArch:	noarch
@ -42,7 +43,7 @@ the XStatic base package, if you like.
 You can find more info about the xstatic packaging way in the package `XStatic`.
 %prep
-%autosetup -n XStatic-jquery-ui-1.12.1.1
+%autosetup -n XStatic-jquery-ui-1.12.1.1 -p1
 %build
 %py3_build
@ -82,5 +83,8 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Mon May 23 2022 huangtianhua <huangtianhua@huawei.com> - 1.12.1.1-2
 - Fix CVE-2021-41183
 * Sat Jan 30 2021 Python_Bot <Python_Bot@openeuler.org>
 - Package Spec generated