Update 20_prototype.js for CVE-2020-27511

jesusbagpuss · web-flow · commit 64a92eb907c5 · 2025-02-19T11:40:18.000Z
Prototype isn't maintained, but the CVE can be resolved. Taken from: prototypejs/prototype#349
diff --git a/ingredients/prototypejs/static/javascript/auto/20_prototype.js b/ingredients/prototypejs/static/javascript/auto/20_prototype.js
@@ -8,7 +8,7 @@
 
 var Prototype = {
 
-  Version: '1.7.3',
+  Version: '1.7.3-eprints',
 
   Browser: (function(){
     var ua = navigator.userAgent;
@@ -621,7 +621,7 @@ Object.extend(String.prototype, (function() {
   }
 
   function stripTags() {
-    return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>])+)?(\/)?>|<\/\w+>/gi, '');
+    return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>'"])+)?\s*("[^">]*|'[^'>])?(\/)?>|<\/\w+>/gi, '');
   }
 
   function stripScripts() {

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`
`9`	`9`	`var Prototype = {`
`10`	`10`
`11`		`- Version: '1.7.3',`
	`11`	`+ Version: '1.7.3-eprints',`
`12`	`12`
`13`	`13`	`Browser: (function(){`
`14`	`14`	`var ua = navigator.userAgent;`
`@@ -621,7 +621,7 @@ Object.extend(String.prototype, (function() {`
`621`	`621`	`}`
`622`	`622`
`623`	`623`	`function stripTags() {`
`624`		`- return this.replace(/<\w+(\s+("[^"]"\|'[^']'\|[^>])+)?(\/)?>\|<\/\w+>/gi, '');`
	`624`	`+ return this.replace(/<\w+(\s+("[^"]"\|'[^']'\|[^>'"])+)?\s("[^">]\|'[^'>])?(\/)?>\|<\/\w+>/gi, '');`
`625`	`625`	`}`
`626`	`626`
`627`	`627`	`function stripScripts() {`