CVE-2020-27511

[matteodelta]

Last version of prototype is affected by vulnerability CVE-2020-27511

https://www.cvedetails.com/cve/CVE-2020-27511/

there will be an update to fix that problem? any other workaround?

Thanks

[kressly]

We really need an update to fix that problem or a work around

[shuckster]

From the link in CVE:

prototype/src/prototype/lang/string.js

Line 283 in dee2f7d

return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>])+)?(\/)?>|<\/\w+>/gi, '');

• Caveat User

• Note that the processing [[String#stripTags]] does is good enough for most
• purposes, but you cannot rely on it for security purposes.

[jwestbrook]

#349 actually has the fixes ready

[madhusudhanreddyvade]

Change stripTags function as below

function stripTags() {
return this.replace(/<(?=(\w+))\1(\s+("[^"]"|'[^']'|[^>])+)?>|</(?=(\w+))\1>/gi, '');
}

[Neustradamus]

Important to solve it and create a new build!