From cf7b28bdf591000a9bd7d7363cc388c6dc8591b9 Mon Sep 17 00:00:00 2001
From: Christopher Tubbs <ctubbsii@apache.org>
Date: Tue, 20 Dec 2016 18:16:10 -0500
Subject: [PATCH] Update to 2.2.4 and backport XSS patch
 (bz#1399550,bz#1399549)

---
 .gitignore                      |  1 +
 js-jquery-disable-gzip-js.patch | 15 +++---
 js-jquery.spec                  | 24 +++++----
 sources                         |  2 +-
 xss-fix-b078a62.patch           | 91 +++++++++++++++++++++++++++++++++
 5 files changed, 114 insertions(+), 19 deletions(-)
 create mode 100644 xss-fix-b078a62.patch

diff --git a/.gitignore b/.gitignore
index 69924ba..d9fb1c7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /js-jquery-4dec426aa2a6cbabb1b064319ba7c272d594a688.tar.gz
 /js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
+/jquery-2.2.4.tar.gz
diff --git a/js-jquery-disable-gzip-js.patch b/js-jquery-disable-gzip-js.patch
index 57fd731..9bf8ecd 100644
--- a/js-jquery-disable-gzip-js.patch
+++ b/js-jquery-disable-gzip-js.patch
@@ -1,14 +1,11 @@
 diff --git a/Gruntfile.js b/Gruntfile.js
-index d1ad5d4..f1f1a28 100644
 --- a/Gruntfile.js
 +++ b/Gruntfile.js
-@@ -9,8 +9,7 @@ module.exports = function( grunt ) {
- 		return data;
- 	}
+@@ -13,7 +13,6 @@ module.exports = function( grunt ) {
  
--	var gzip = require( "gzip-js" ),
--		srcHintOptions = readOptionalJSON( "src/.jshintrc" );
-+	var srcHintOptions = readOptionalJSON( "src/.jshintrc" );
+ 	var fs = require( "fs" ),
+ 		stripJSONComments = require( "strip-json-comments" ),
+-		gzip = require( "gzip-js" ),
+ 		srcHintOptions = readOptionalJSON( "src/.jshintrc" ),
+ 		newNode = !/^v0/.test( process.version ),
  
- 	// The concatenated file won't pass onevar
- 	// But our modules can
diff --git a/js-jquery.spec b/js-jquery.spec
index 67da3ff..10414ba 100644
--- a/js-jquery.spec
+++ b/js-jquery.spec
@@ -1,9 +1,6 @@
-%global commit 8f2a9d9272d6ed7f32d3a484740ab342c02541e0
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
-
 Name:           js-jquery
-Version:        2.1.3
-Release:        3%{?dist}
+Version:        2.2.4
+Release:        1%{?dist}
 Summary:        JavaScript DOM manipulation, event handling, and AJAX library
 BuildArch:      noarch
 
@@ -12,11 +9,13 @@ BuildArch:      noarch
 %global ver_z %(echo %{version} | cut -d. -f3)
 
 License:        MIT     
-URL:            http://jquery.com/
-Source0:        https://github.com/jquery/jquery/archive/%{commit}/%{name}-%{commit}.tar.gz
+URL:            https://jquery.com/
+Source0:        https://github.com/jquery/jquery/archive/%{version}/jquery-%{version}.tar.gz
 
 # disable gzip-js during build
 Patch1:         %{name}-disable-gzip-js.patch
+# backport of XSS bug fix from upstream; upstream fixed in 3.0.0 and newer
+Patch2:         xss-fix-b078a62.patch
 
 BuildRequires:  web-assets-devel
 BuildRequires:  nodejs-packaging
@@ -31,6 +30,8 @@ BuildRequires:  npm(grunt-cli)
 BuildRequires:  npm(grunt-contrib-uglify)
 BuildRequires:  npm(load-grunt-tasks)
 BuildRequires:  npm(requirejs)
+#BuildRequires:  npm(strip-json-comments) # won't work on epel7 branch
+BuildRequires:  nodejs-strip-json-comments
 
 Requires:       web-assets-filesystem
 
@@ -42,8 +43,10 @@ browsers. With a combination of versatility and extensibility, jQuery has
 changed the way that millions of people write JavaScript.
 
 %prep
-%setup -qn jquery-%{commit}
+# autosetup doesn't work right on epel7 branch
+%setup -qn jquery-%{version}
 %patch1 -p1
+%patch2 -p1
 
 #remove precompiled stuff
 rm -rf dist/* src/sizzle
@@ -79,10 +82,13 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}
 %files
 %{_jsdir}/jquery
 %{_webassetdir}/jquery
-%doc AUTHORS.txt CONTRIBUTING.md MIT-LICENSE.txt README.md
+%doc AUTHORS.txt CONTRIBUTING.md LICENSE.txt README.md
 
 
 %changelog
+* Tue Dec 20 2016 Christopher Tubbs <ctubbsii@fedoraproject.org> - 2.2.4-1
+- Update to 2.2.4 and backport XSS patch (bz#1399550,bz#1399549)
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
diff --git a/sources b/sources
index cda457b..1aee121 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-eba3a924d520e1018b0cc1f0bdd2ffbc  js-jquery-8f2a9d9272d6ed7f32d3a484740ab342c02541e0.tar.gz
+SHA512 (jquery-2.2.4.tar.gz) = bd1176286451adeaa8c18eb98e01e8b91e45157f7263907772d637a2c15b8ac27b780be14983c4abcff5def668323beab9a6889d8da4beb6c2c06fae1f5bed1d
diff --git a/xss-fix-b078a62.patch b/xss-fix-b078a62.patch
new file mode 100644
index 0000000..8f730c1
--- /dev/null
+++ b/xss-fix-b078a62.patch
@@ -0,0 +1,91 @@
+From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001
+From: Oleg Gaidarenko <markelog@gmail.com>
+Date: Thu, 10 Sep 2015 13:40:00 +0300
+Subject: [PATCH] Ajax: Mitigate possible XSS vulnerability
+
+Proposed by @jaubourg
+
+Fixes gh-2432
+Closes gh-2588
+---
+ src/ajax/script.js |  7 +++++++
+ test/unit/ajax.js  | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 0 deletion(-)
+
+diff --git a/src/ajax/script.js b/src/ajax/script.js
+index 60b1fb6..0ec27b4 100644
+--- a/src/ajax/script.js
++++ b/src/ajax/script.js
+@@ -4,6 +4,13 @@ define( [
+ 	"../ajax"
+ ], function( jQuery, document ) {
+ 
++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
++jQuery.ajaxPrefilter( function( s ) {
++    if ( s.crossDomain ) {
++        s.contents.script = false;
++    }
++} );
++
+ // Install script dataType
+ jQuery.ajaxSetup( {
+ 	accepts: {
+diff --git a/test/unit/ajax.js b/test/unit/ajax.js
+index 14fe0be..6479587 100644
+--- a/test/unit/ajax.js
++++ b/test/unit/ajax.js
+@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
+ 		};
+ 	} );
+ 
++	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
++		return {
++			create: function( options ) {
++				options.crossDomain = true;
++				return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
++			},
++			success: function() {
++				assert.ok( true, "success" );
++			},
++			complete: function() {
++				assert.ok( true, "complete" );
++			}
++		};
++	} );
++
++	ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
++		function( assert ) {
++			return {
++				create: function( options ) {
++					options.crossDomain = true;
++					options.dataType = "script";
++					return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
++				},
++				success: function() {
++					assert.ok( true, "success" );
++				},
++				complete: function() {
++					assert.ok( true, "complete" );
++				}
++			};
++		}
++	);
++
++	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
++		return {
++			create: function( options ) {
++				options.crossDomain = true;
++				return jQuery.ajax( url( "data/script.php" ), options );
++			},
++			success: function() {
++				assert.ok( true, "success" );
++			},
++			complete: function() {
++				assert.ok( true, "complete" );
++			}
++		};
++	} );
++
+ 	ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
+ 		return {
+ 			setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),