exadel-inc / esl Goto Github PK
View Code? Open in Web Editor NEWLightweight and flexible UI component library based on web components technology for creating basic UX modules
Home Page: https://esl-ui.com
License: MIT License
Lightweight and flexible UI component library based on web components technology for creating basic UX modules
Home Page: https://esl-ui.com
License: MIT License
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
Step up your Open Source Security Game with WhiteSource here
Add ability to define ESL Media Queries with a single or multiple 'not' operator, and "and"/"or" conditions
Examples
not @xs
,
not (hover: none)
@xs and not @ie
not (max-width: 800) or not (max-height: 800)
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-6.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in base branch: main
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Path to vulnerable library: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Setup sitemap generation template for ESL demo site pages
As an ESL contributor, I want to be able to exclude certain parts of markdown from 11ty page rendering.
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: fea7edcd7d1370e2680785c3b1f8dbad4d63b1c7
Found in base branch: main
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
As an ESL tech architect, I want to
Add a deep merge utility to the esl-utils module
deepMerge({a: 1, b: {a: 1}}, {a: 2, b: {b: 2}, c: 3}) // {a: 2, b: {a: 1, b: 2}, c: 3}
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js
Path to dependency file: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Path to vulnerable library: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with WhiteSource here
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/eslint-plugin-import/node_modules/hosted-git-info/package.json,esl/node_modules/read-pkg/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
As an ESLImage consumer, I want to be able to define image sources per container query instead of a browser window Media Query.
Container Query defines sizes condition such as min-height, max-width, etc per current element size.
That means that query ~'(min-width: 400px)' acepst if the current image element takes more the a 400px wide.
As a ESL contributor, I want to be able to use Markdown syntax as a primary content source on ESL demo site.
Note: It will be nice to be able to refer to existing documentation in the src
directory.
As an ESL Tooltip, Popup, Note and Footnote consumer, I want to make these components easier for as many people as possible by creating helpful accessible product.
simple, flexible, fun test framework
Library home page: https://cdnjs.cloudflare.com/ajax/libs/mocha/2.5.3/mocha.min.js
Path to dependency file: esl/node_modules/intersection-observer/intersection-observer-test.html
Path to vulnerable library: esl/node_modules/intersection-observer/intersection-observer-test.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
Base Score Metrics:
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
Extend ESL Media Query API with the following methods and updates:
for
method to easily get cached ESLMediaQuery (ESLMediaQuery.for('@xs').matches
)ignoreBotDpr
marker(Optional) Add separate ESLBreakpoint utility to manage breakpoint aliases and related extra API
E.g.:
ESLBreakpoints.names
ESLBreakpoints.get('xs')
ESLBreakpoints.current
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/npm/node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution: v8.0.1
Step up your Open Source Security Game with WhiteSource here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2
Step up your Open Source Security Game with WhiteSource here
As an ESL consumer, I want to have an optional type extension for document.createElement with default ESL tag names.
Example
const el: ESLToggleable = document.createElement('esl-toggleable'); // type error
Expected behavior
const el: ESLToggleable = document.createElement('esl-toggleable');
Environment
Add support for the following list of conditions to the ESLMediaQuery:
@bot
, @desktop
, @mobile
)@ie
, @blink
, @gecko
)@touch
)Add ability to define user's custom shortcuts for string media queries, simple static conditions, "replacers" functions
Shortcuts.add('nohover', '(hover: none)')
Shortcuts.add('touch', DeviceDetector.isTouch)
Shortcuts.add(\(x|m|l)-size\, (match, group1) => 'media query')
Update ESL Scrollbar README.md with the
As an ESL Utils consumer, I want to be able to use Delete/Backspace key values.
As an ESL Tabs and ESL Panel consumer, I want to be able to play with the components and try the features out.
As an ESL contributor, I may feel much more comfortable if my markup code HTML (.njk) linted smarter than just lint-space does.
Open questions:
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource here
There is no minified version of stiles in the ESL build output.
Expected behavior
*.min.css files presented in the library output
Update GH pages content on the Homepage.
As an ESL Footnotes and ESL Tooltip consumer, I want to be able to play with the components and try the features out.
As an ESL Scrollbar consumer, I want to be able to use horizontal scrollbar instances inside of RTL direction context.
As an ESL tech architect, I want to have short and clear inner logic for the ESL Scrollbar after the update, as it available right now.
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution: engine.io - 4.0.0
Step up your Open Source Security Game with WhiteSource here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/npm/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
Add new ESL Footnote and ESL Note components to manage page footnotes feature.
ESL Note is an inline text component to define text footnote.
Lorem ipsum<esl-note>some extra note</esl-note>
ESL Footnote is a component to define a notes area and collect notes content.
ESL Notes in bounds of ESLFootnote area replaces its content with a sequential number and place it's content inside ESL Footnote container.
User should be able to see ESL Note content on hover or click on the ESL Note instance inside the Tooltip.
User also should be able to move to the note from the footnotes container.
Integrate the upcoming @exadel/ui-playground
library into ESL GHPages demo site.
✅ I Iteration: Initial
UX is under discussion
Add(replace) ESLPopup with an ESL Toggleable implementation, with the following abilities:
Add documentation and guides regarding the new 11ty based GH Pages
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: main
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution: xmlhttprequest-ssl - 1.6.1
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: fea7edcd7d1370e2680785c3b1f8dbad4d63b1c7
Found in base branch: main
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
Add a new ESLToggleable based component with the following list of features:
show
functionAs an ESL Utils consumer, I want to be able to use window utils.
As an ESL tech architect, I want to extend ESL Utils with window utils such as windowY, windowX, windowWidth (position utils).
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.