backport angular#17028 to fix CVE-2020-7676

GHSA-mhp6-pxh8-r675

NOTE: since we only support using with jquery 3.5.1 in Salesforce/vlocity we've modified the tests to account for this and drop older versions of jquery.

Author: mgoldspink-salesforce

Gruntfile.js

@@ -136,8 +136,7 @@ module.exports = function(grunt) {
     tests: {
       jqlite: 'karma-jqlite.conf.js',
       jquery: 'karma-jquery.conf.js',
-      'jquery-2.2': 'karma-jquery-2.2.conf.js',
-      'jquery-2.1': 'karma-jquery-2.1.conf.js',
+      'jquery-3.5': 'karma-jquery-3.5.conf.js',
       docs: 'karma-docs.conf.js',
       modules: 'karma-modules.conf.js'
     },
@@ -146,8 +145,7 @@ module.exports = function(grunt) {
     autotest: {
       jqlite: 'karma-jqlite.conf.js',
       jquery: 'karma-jquery.conf.js',
-      'jquery-2.2': 'karma-jquery-2.2.conf.js',
-      'jquery-2.1': 'karma-jquery-2.1.conf.js',
+      'jquery-3.5': 'karma-jquery-3.5.conf.js',
       modules: 'karma-modules.conf.js',
       docs: 'karma-docs.conf.js'
     },
@@ -403,10 +401,9 @@ module.exports = function(grunt) {
     'tests:docs',
     'test:protractor'
   ]);
-  grunt.registerTask('test:jqlite', 'Run the unit tests with Karma' , ['tests:jqlite']);
+  grunt.registerTask('test:jqlite', 'Run the unit tests with Karma', ['tests:jqlite']);
   grunt.registerTask('test:jquery', 'Run the jQuery (latest) unit tests with Karma', ['tests:jquery']);
-  grunt.registerTask('test:jquery-2.2', 'Run the jQuery 2.2 unit tests with Karma', ['tests:jquery-2.2']);
-  grunt.registerTask('test:jquery-2.1', 'Run the jQuery 2.1 unit tests with Karma', ['tests:jquery-2.1']);
+  grunt.registerTask('test:jquery-3.5', 'Run the jQuery 3.5 unit tests with Karma', ['tests:jquery-3.5']);
   grunt.registerTask('test:modules', 'Run the Karma module tests with Karma', [
     'build',
     'tests:modules'
@@ -415,8 +412,7 @@ module.exports = function(grunt) {
   grunt.registerTask('test:unit', 'Run unit, jQuery and Karma module tests with Karma', [
     'test:jqlite',
     'test:jquery',
-    'test:jquery-2.2',
-    'test:jquery-2.1',
+    'test:jquery-3.5',
     'test:modules'
   ]);
   grunt.registerTask('test:protractor', 'Run the end to end tests with Protractor and keep a test server running in the background', [

angularFiles.js

@@ -244,7 +244,7 @@ var angularFiles = {
   ]
 };
 
-['2.1', '2.2'].forEach(function(jQueryVersion) {
+['3.5'].forEach(function(jQueryVersion) {
   angularFiles['karmaJquery' + jQueryVersion] = []
     .concat(angularFiles.karmaJquery)
     .map(function(path) {

bower.json

@@ -2,9 +2,8 @@
   "name": "angularjs",
   "license": "MIT",
   "devDependencies": {
-    "jquery": "3.2.1",
-    "jquery-2.2": "jquery#2.2.4",
-    "jquery-2.1": "jquery#2.1.4",
+    "jquery": "3.5.1",
+    "jquery-3.5": "jquery#3.5.1",
     "closure-compiler": "https://dl.google.com/closure-compiler/compiler-20140814.zip",
     "ng-closure-runner": "https://raw.github.com/angular/ng-closure-runner/v0.2.4/assets/ng-closure-runner.zip"
   }

karma-jquery-2.2.conf.js

@@ -2,4 +2,4 @@
 
 var karmaConfigFactory = require('./karma-jquery.conf-factory');
 
-module.exports = karmaConfigFactory('2.1');
+module.exports = karmaConfigFactory('3.5');

karma-jquery-2.1.conf.js karma-jquery-3.5.conf.js

@@ -182,7 +182,7 @@ module.exports = {
     var errorFileName = file.replace(/\.js$/, '-errors.json');
     var versionNumber = grunt.config('NG_VERSION').full;
     var compilationLevel = (file === 'build/angular-message-format.js') ?
-        'ADVANCED_OPTIMIZATIONS' : 'SIMPLE_OPTIMIZATIONS';
+      'ADVANCED_OPTIMIZATIONS' : 'SIMPLE_OPTIMIZATIONS';
     shell.exec(
         'java ' +
             this.java32flags() + ' ' +
@@ -221,7 +221,7 @@ module.exports = {
   //returns the 32-bit mode force flags for java compiler if supported, this makes the build much faster
   java32flags: function() {
     if (process.platform === 'win32') return '';
-    if (shell.exec('java -version -d32 2>&1', {silent: true}).code !== 0) return '';
+    if (shell.exec('java -d32 2>&1', {silent: true}).code !== 0) return '';
     return ' -d32 -client';
   },
 

lib/grunt/utils.js

@@ -60,8 +60,9 @@
     "jasmine-core": "2.5.2",
     "jasmine-node": "^2.0.0",
     "jasmine-reporters": "^2.2.0",
-    "jquery": "^3.2.1",
-    "karma": "^1.7.0",
+    "jquery": "3.5.1",
+    "jquery-3.5": "npm:[email protected]",
+    "karma": "^2.0.0",
     "karma-browserstack-launcher": "^1.2.0",
     "karma-chrome-launcher": "^2.1.1",
     "karma-firefox-launcher": "^1.0.1",

package.json

@@ -34,8 +34,7 @@ case "$JOB" in
     ;;
   "unit-jquery")
     grunt test:jquery --browsers="$BROWSERS" --reporters=spec
-    grunt test:jquery-2.2 --browsers="$BROWSERS" --reporters=spec
-    grunt test:jquery-2.1 --browsers="$BROWSERS" --reporters=spec
+    grunt test:jquery-3.5 --browsers="$BROWSERS" --reporters=spec
     ;;
   "docs-app")
     grunt tests:docs --browsers="$BROWSERS" --reporters=spec

scripts/travis/build.sh

@@ -94,6 +94,7 @@
   hasOwnProperty,
   createMap,
   stringify,
+  UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
 
   NODE_TYPE_ELEMENT,
   NODE_TYPE_ATTRIBUTE,
@@ -1964,6 +1965,25 @@ function bindJQuery() {
   bindJQueryFired = true;
 }
 
+/**
+ * @ngdoc function
+ * @name angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement
+ * @module ng
+ * @kind function
+ *
+ * @description
+ * Restores the pre-1.8 behavior of jqLite that turns XHTML-like strings like
+ * `<div /><span />` to `<div></div><span></span>` instead of `<div><span></span></div>`.
+ * The new behavior is a security fix. Thus, if you need to call this function, please try to adjust
+ * your code for this change and remove your use of this function as soon as possible.
+ * Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the
+ * [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details
+ * about the workarounds.
+ */
+ function UNSAFE_restoreLegacyJqLiteXHTMLReplacement() {
+  JQLite.legacyXHTMLReplacement = true;
+}
+
 /**
  * throw error if the argument is falsy.
  */

src/Angular.js

@@ -51,6 +51,7 @@
   ngModelOptionsDirective,
   ngAttributeAliasDirectives,
   ngEventDirectives,
+  UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
 
   $AnchorScrollProvider,
   $AnimateProvider,
@@ -155,6 +156,7 @@ function publishExternalAPI(angular) {
     'callbacks': {$$counter: 0},
     'getTestability': getTestability,
     'reloadWithDebugInfo': reloadWithDebugInfo,
+    'UNSAFE_restoreLegacyJqLiteXHTMLReplacement': UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
     '$$minErr': minErr,
     '$$csp': csp,
     '$$encodeUriSegment': encodeUriSegment,

src/AngularPublic.js

@@ -89,6 +89,16 @@
  * - [`val()`](http://api.jquery.com/val/)
  * - [`wrap()`](http://api.jquery.com/wrap/)
  *
+ * jqLite also provides a method restoring pre-1.8 insecure treatment of XHTML-like tags.
+ * This legacy behavior turns input like `<div /><span />` to `<div></div><span></span>`
+ * instead of `<div><span></span></div>` like version 1.8 & newer do. To restore it, invoke:
+ * ```js
+ * angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
+ * ```
+ * Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the
+ * [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details
+ * about the workarounds.
+ *
  * ## jQuery/jqLite Extras
  * Angular also provides the following additional methods and events to both jQuery and jqLite:
  *
@@ -168,20 +178,36 @@ var HTML_REGEXP = /<|&#?\w+;/;
 var TAG_NAME_REGEXP = /<([\w:-]+)/;
 var XHTML_TAG_REGEXP = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi;
 
+// Table parts need to be wrapped with `<table>` or they're
+// stripped to their contents when put in a div.
+// XHTML parsers do not magically insert elements in the
+// same way that tag soup parsers do, so we cannot shorten
+// this by omitting <tbody> or other required elements.
 var wrapMap = {
-  'option': [1, '<select multiple="multiple">', '</select>'],
-
-  'thead': [1, '<table>', '</table>'],
-  'col': [2, '<table><colgroup>', '</colgroup></table>'],
-  'tr': [2, '<table><tbody>', '</tbody></table>'],
-  'td': [3, '<table><tbody><tr>', '</tr></tbody></table>'],
-  '_default': [0, '', '']
+  thead: ['table'],
+  col: ['colgroup', 'table'],
+  tr: ['tbody', 'table'],
+  td: ['tr', 'tbody', 'table']
 };
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <10 only
+// IE 9 requires an option wrapper & it needs to have the whole table structure
+// set up in advance; assigning `"<td></td>"` to `tr.innerHTML` doesn't work, etc.
+var wrapMapIE9 = {
+  option: [1, '<select multiple="multiple">', '</select>'],
+  _default: [0, '', '']
+};
+
+for (var key in wrapMap) {
+  var wrapMapValueClosing = wrapMap[key];
+  var wrapMapValue = wrapMapValueClosing.slice().reverse();
+  wrapMapIE9[key] = [wrapMapValue.length, '<' + wrapMapValue.join('><') + '>', '</' + wrapMapValueClosing.join('></') + '>'];
+}
+
+wrapMapIE9.optgroup = wrapMapIE9.option;
 
 function jqLiteIsTextNode(html) {
   return !HTML_REGEXP.test(html);
@@ -202,7 +228,7 @@ function jqLiteHasData(node) {
 }
 
 function jqLiteBuildFragment(html, context) {
-  var tmp, tag, wrap,
+  var tmp, tag, wrap, finalHtml,
       fragment = context.createDocumentFragment(),
       nodes = [], i;
 
@@ -213,13 +239,30 @@ function jqLiteBuildFragment(html, context) {
     // Convert html into DOM nodes
     tmp = fragment.appendChild(context.createElement('div'));
     tag = (TAG_NAME_REGEXP.exec(html) || ['', ''])[1].toLowerCase();
-    wrap = wrapMap[tag] || wrapMap._default;
-    tmp.innerHTML = wrap[1] + html.replace(XHTML_TAG_REGEXP, '<$1></$2>') + wrap[2];
+    finalHtml = JQLite.legacyXHTMLReplacement ?
+      html.replace(XHTML_TAG_REGEXP, '<$1></$2>') :
+      html;
+
+    if (msie < 10) {
+      wrap = wrapMapIE9[tag] || wrapMapIE9._default;
+      tmp.innerHTML = wrap[1] + finalHtml + wrap[2];
+
+      // Descend through wrappers to the right content
+      i = wrap[0];
+      while (i--) {
+        tmp = tmp.firstChild;
+      }
+    } else {
+      wrap = wrapMap[tag] || [];
 
-    // Descend through wrappers to the right content
-    i = wrap[0];
-    while (i--) {
-      tmp = tmp.lastChild;
+      // Create wrappers & descend into them
+      i = wrap.length;
+      while (--i > -1) {
+        tmp.appendChild(window.document.createElement(wrap[i]));
+        tmp = tmp.firstChild;
+      }
+
+      tmp.innerHTML = finalHtml;
     }
 
     nodes = concat(nodes, tmp.childNodes);

src/jqLite.js

@@ -42,8 +42,8 @@ describe('jqLite', function() {
               var expect = jqLite(expected[i])[0];
               value = value && equals(expect, actual);
               msg = 'Not equal at index: ' + i
-                  + ' - Expected: ' + expect
-                  + ' - Actual: ' + actual;
+                + ' - Expected: ' + expect
+                + ' - Actual: ' + actual;
             }
             return { pass: value, message: message };
           }
@@ -147,6 +147,12 @@ describe('jqLite', function() {
       expect(nodes[0].nodeName.toLowerCase()).toBe('option');
     });
 
+    it('should allow construction of multiple <option> elements', function () {
+      var nodes = jqLite('<option></option><option></option>');
+      expect(nodes.length).toBe(2);
+      expect(nodes[0].nodeName.toLowerCase()).toBe('option');
+      expect(nodes[1].nodeName.toLowerCase()).toBe('option');
+    });
 
     // Special tests for the construction of elements which are restricted (in the HTML5 spec) to
     // being children of specific nodes.
@@ -171,6 +177,96 @@ describe('jqLite', function() {
     });
   });
 
+
+  describe('security', function () {
+    it('shouldn\'t crash at attempts to close the table wrapper', function() {
+      // jQuery doesn't pass this test yet.
+      if (!_jqLiteMode) return;
+
+      // Support: IE <10
+      // In IE 9 we still need to use the old-style innerHTML assignment
+      // as that's the only one that works.
+      if (msie < 10) return;
+
+      expect(function () {
+        // This test case attempts to close the tags which wrap input
+        // based on matching done in wrapMap, escaping the wrapper & thus
+        // triggering an error when descending.
+        var el = jqLite('<td></td></tr></tbody></table><td></td>');
+        expect(el.length).toBe(2);
+        expect(el[0].nodeName.toLowerCase()).toBe('td');
+        expect(el[1].nodeName.toLowerCase()).toBe('td');
+      }).not.toThrow();
+    });
+
+    it('shouldn\'t unsanitize sanitized code', function(done) {
+      // jQuery <3.5.0 fail those tests.
+      if (isJQuery2x()) {
+        done();
+        return;
+      }
+
+      var counter = 0,
+        assertCount = 13,
+        container = jqLite('<div></div>');
+
+      function donePartial() {
+        counter++;
+        if (counter === assertCount) {
+          container.remove();
+          delete window.xss;
+          done();
+        }
+      }
+
+      jqLite(document.body).append(container);
+      window.xss = jasmine.createSpy('xss');
+
+      // Thanks to Masato Kinugawa from Cure53 for providing the following test cases.
+      // Note: below test cases need to invoke the xss function with consecutive
+      // decimal parameters for the assertions to be correct.
+      forEach([
+        '<img alt="<x" title="/><img src=url404 onerror=xss(0)>">',
+        '<img alt="\n<x" title="/>\n<img src=url404 onerror=xss(1)>">',
+        '<style><style/><img src=url404 onerror=xss(2)>',
+        '<xmp><xmp/><img src=url404 onerror=xss(3)>',
+        '<title><title /><img src=url404 onerror=xss(4)>',
+        '<iframe><iframe/><img src=url404 onerror=xss(5)>',
+        '<noframes><noframes/><img src=url404 onerror=xss(6)>',
+        '<noscript><noscript/><img src=url404 onerror=xss(7)>',
+        '<foo" alt="" title="/><img src=url404 onerror=xss(8)>">',
+        '<img alt="<x" title="" src="/><img src=url404 onerror=xss(9)>">',
+        '<noscript/><img src=url404 onerror=xss(10)>',
+        '<noembed><noembed/><img src=url404 onerror=xss(11)>',
+
+        '<option><style></option></select><img src=url404 onerror=xss(12)></style>'
+      ], function(htmlString, index) {
+        var element = jqLite('<div></div>');
+
+        container.append(element);
+        element.append(jqLite(htmlString));
+
+        window.setTimeout(function() {
+          expect(window.xss).not.toHaveBeenCalledWith(index);
+          donePartial();
+        }, 1000);
+      });
+    });
+
+    it('should allow to restore legacy insecure behavior', function () {
+      // jQuery doesn't have this API.
+      if (!_jqLiteMode) return;
+
+      // eslint-disable-next-line new-cap
+      angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
+
+      var elem = jqLite('<div/><span/>');
+      expect(elem.length).toBe(2);
+      expect(elem[0].nodeName.toLowerCase()).toBe('div');
+      expect(elem[1].nodeName.toLowerCase()).toBe('span');
+    });
+  });
+
   describe('_data', function() {
     it('should provide access to the events present on the element', function() {
       var element = jqLite('<i>foo</i>');