From b6ef191f20885e4d1dedcce99dd83b6b3e37b0e1 Mon Sep 17 00:00:00 2001
From: huangtianhua <huangtianhua@huawei.com>
Date: Mon, 23 May 2022 17:21:03 +0800
Subject: [PATCH] Fix CVE-2021-41183

---
 ...option-are-text-shorten-HTML-strings.patch | 180 ++++++++++++++++++
 python-XStatic-jquery-ui.spec                 |   8 +-
 2 files changed, 186 insertions(+), 2 deletions(-)
 create mode 100644 0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch

diff --git a/0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch b/0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
new file mode 100644
index 0000000..5fce851
--- /dev/null
+++ b/0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
@@ -0,0 +1,180 @@
+diff --git a/xstatic/pkg/jquery_ui/data/jquery-ui.js b/xstatic/pkg/jquery_ui/data/jquery-ui.js
+index 264329f..531b3bd 100644
+--- a/xstatic/pkg/jquery_ui/data/jquery-ui.js
++++ b/xstatic/pkg/jquery_ui/data/jquery-ui.js
+@@ -9801,7 +9801,9 @@ $.extend( Datepicker.prototype, {
+ 			inst.append.remove();
+ 		}
+ 		if ( appendText ) {
+-			inst.append = $( "<span class='" + this._appendClass + "'>" + appendText + "</span>" );
++			inst.append = $( "<span>" )
++				.addClass( this._appendClass )
++				.text( appendText );
+ 			input[ isRTL ? "before" : "after" ]( inst.append );
+ 		}
+ 
+@@ -9818,12 +9820,32 @@ $.extend( Datepicker.prototype, {
+ 		if ( showOn === "button" || showOn === "both" ) { // pop-up date picker when button clicked
+ 			buttonText = this._get( inst, "buttonText" );
+ 			buttonImage = this._get( inst, "buttonImage" );
+-			inst.trigger = $( this._get( inst, "buttonImageOnly" ) ?
+-				$( "<img/>" ).addClass( this._triggerClass ).
+-					attr( { src: buttonImage, alt: buttonText, title: buttonText } ) :
+-				$( "<button type='button'></button>" ).addClass( this._triggerClass ).
+-					html( !buttonImage ? buttonText : $( "<img/>" ).attr(
+-					{ src:buttonImage, alt:buttonText, title:buttonText } ) ) );
++
++			if ( this._get( inst, "buttonImageOnly" ) ) {
++				inst.trigger = $( "<img>" )
++					.addClass( this._triggerClass )
++					.attr( {
++						src: buttonImage,
++						alt: buttonText,
++						title: buttonText
++					} );
++			} else {
++				inst.trigger = $( "<button type='button'>" )
++					.addClass( this._triggerClass );
++				if ( buttonImage ) {
++					inst.trigger.html(
++						$( "<img>" )
++							.attr( {
++								src: buttonImage,
++								alt: buttonText,
++								title: buttonText
++							} )
++					);
++				} else {
++					inst.trigger.text( buttonText );
++				}
++			}
++
+ 			input[ isRTL ? "before" : "after" ]( inst.trigger );
+ 			inst.trigger.on( "click", function() {
+ 				if ( $.datepicker._datepickerShowing && $.datepicker._lastInput === input[ 0 ] ) {
+@@ -11265,32 +11287,104 @@ $.extend( Datepicker.prototype, {
+ 			this._daylightSavingAdjust( new Date( drawYear, drawMonth - stepMonths, 1 ) ),
+ 			this._getFormatConfig( inst ) ) );
+ 
+-		prev = ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ?
+-			"<a class='ui-datepicker-prev ui-corner-all' data-handler='prev' data-event='click'" +
+-			" title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" :
+-			( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-prev ui-corner-all ui-state-disabled' title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" ) );
++		if ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ) {
++			prev = $( "<a>" )
++				.attr( {
++					"class": "ui-datepicker-prev ui-corner-all",
++					"data-handler": "prev",
++					"data-event": "click",
++					title: prevText
++				} )
++				.append(
++					$( "<span>" )
++						.addClass( "ui-icon ui-icon-circle-triangle-" +
++							( isRTL ? "e" : "w" ) )
++						.text( prevText )
++				)[ 0 ].outerHTML;
++		} else if ( hideIfNoPrevNext ) {
++			prev = "";
++		} else {
++			prev = $( "<a>" )
++				.attr( {
++					"class": "ui-datepicker-prev ui-corner-all ui-state-disabled",
++					title: prevText
++				} )
++				.append(
++					$( "<span>" )
++						.addClass( "ui-icon ui-icon-circle-triangle-" +
++							( isRTL ? "e" : "w" ) )
++						.text( prevText )
++				)[ 0 ].outerHTML;
++		}
+ 
+ 		nextText = this._get( inst, "nextText" );
+ 		nextText = ( !navigationAsDateFormat ? nextText : this.formatDate( nextText,
+ 			this._daylightSavingAdjust( new Date( drawYear, drawMonth + stepMonths, 1 ) ),
+ 			this._getFormatConfig( inst ) ) );
+ 
+-		next = ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ?
+-			"<a class='ui-datepicker-next ui-corner-all' data-handler='next' data-event='click'" +
+-			" title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" :
+-			( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-next ui-corner-all ui-state-disabled' title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" ) );
++		if ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ) {
++			next = $( "<a>" )
++				.attr( {
++					"class": "ui-datepicker-next ui-corner-all",
++					"data-handler": "next",
++					"data-event": "click",
++					title: nextText
++				} )
++				.append(
++					$( "<span>" )
++						.addClass( "ui-icon ui-icon-circle-triangle-" +
++							( isRTL ? "w" : "e" ) )
++						.text( nextText )
++				)[ 0 ].outerHTML;
++		} else if ( hideIfNoPrevNext ) {
++			next = "";
++		} else {
++			next = $( "<a>" )
++				.attr( {
++					"class": "ui-datepicker-next ui-corner-all ui-state-disabled",
++					title: nextText
++				} )
++				.append(
++					$( "<span>" )
++						.attr( "class", "ui-icon ui-icon-circle-triangle-" +
++							( isRTL ? "w" : "e" ) )
++						.text( nextText )
++				)[ 0 ].outerHTML;
++		}
+ 
+ 		currentText = this._get( inst, "currentText" );
+ 		gotoDate = ( this._get( inst, "gotoCurrent" ) && inst.currentDay ? currentDate : today );
+ 		currentText = ( !navigationAsDateFormat ? currentText :
+ 			this.formatDate( currentText, gotoDate, this._getFormatConfig( inst ) ) );
+ 
+-		controls = ( !inst.inline ? "<button type='button' class='ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all' data-handler='hide' data-event='click'>" +
+-			this._get( inst, "closeText" ) + "</button>" : "" );
+-
+-		buttonPanel = ( showButtonPanel ) ? "<div class='ui-datepicker-buttonpane ui-widget-content'>" + ( isRTL ? controls : "" ) +
+-			( this._isInRange( inst, gotoDate ) ? "<button type='button' class='ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all' data-handler='today' data-event='click'" +
+-			">" + currentText + "</button>" : "" ) + ( isRTL ? "" : controls ) + "</div>" : "";
++			controls = "";
++			if ( !inst.inline ) {
++				controls = $( "<button>" )
++					.attr( {
++						type: "button",
++						"class": "ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all",
++						"data-handler": "hide",
++						"data-event": "click"
++					} )
++					.text( this._get( inst, "closeText" ) )[ 0 ].outerHTML;
++			}
++
++			buttonPanel = "";
++			if ( showButtonPanel ) {
++				buttonPanel = $( "<div class='ui-datepicker-buttonpane ui-widget-content'>" )
++					.append( isRTL ? controls : "" )
++					.append( this._isInRange( inst, gotoDate ) ?
++						$( "<button>" )
++							.attr( {
++								type: "button",
++								"class": "ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all",
++								"data-handler": "today",
++								"data-event": "click"
++							} )
++							.text( currentText ) :
++						"" )
++					.append( isRTL ? "" : controls )[ 0 ].outerHTML;
++			}
+ 
+ 		firstDay = parseInt( this._get( inst, "firstDay" ), 10 );
+ 		firstDay = ( isNaN( firstDay ) ? 0 : firstDay );
+@@ -18703,4 +18797,4 @@ var effectsEffectTransfer = effect;
+ 
+ 
+ 
+-}));
+\ No newline at end of file
++}));
diff --git a/python-XStatic-jquery-ui.spec b/python-XStatic-jquery-ui.spec
index a4abf37..7225381 100644
--- a/python-XStatic-jquery-ui.spec
+++ b/python-XStatic-jquery-ui.spec
@@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-XStatic-jquery-ui
 Version:	1.12.1.1
-Release:	1
+Release:	2
 Summary:	jquery-ui 1.12.1 (XStatic packaging standard)
 License:	MIT
 URL:		https://jqueryui.com/
 Source0:	https://files.pythonhosted.org/packages/e6/5a/883b22dad1d3e01708312d71c5bc63d543d66cef9b448c1cf85379d64fb3/XStatic-jquery-ui-1.12.1.1.tar.gz
+Patch0:         0001-Make-sure-text-option-are-text-shorten-HTML-strings.patch
 BuildArch:	noarch
 
 
@@ -42,7 +43,7 @@ the XStatic base package, if you like.
 You can find more info about the xstatic packaging way in the package `XStatic`.
 
 %prep
-%autosetup -n XStatic-jquery-ui-1.12.1.1
+%autosetup -n XStatic-jquery-ui-1.12.1.1 -p1
 
 %build
 %py3_build
@@ -82,5 +83,8 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon May 23 2022 huangtianhua <huangtianhua@huawei.com> - 1.12.1.1-2
+- Fix CVE-2021-41183
+
 * Sat Jan 30 2021 Python_Bot <Python_Bot@openeuler.org>
 - Package Spec generated