add patches to fix DOM clobbering

jspsych · Jan 8, 2025 · 80c4989 · 80c4989
1 parent 54be7a0
commit 80c4989
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/packages/config/rollup.js b/packages/config/rollup.js
@@ -81,6 +81,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         esbuild({ ...esBuildPluginOptions, target: "node18" }),
         commonjs(commonjsPluginOptions),
       ],
@@ -111,6 +120,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "esnext" }),
         commonjs(commonjsPluginOptions),
@@ -135,6 +153,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "es2015", minify: true }),
         commonjs(commonjsPluginOptions),