From 80c4989431c1f4636e1ea335ed39ad7a7431f2f1 Mon Sep 17 00:00:00 2001
From: cchang-vassar <79338042+cchang-vassar@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:47:27 -0500
Subject: [PATCH] add patches to fix DOM clobbering

---
 packages/config/rollup.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/packages/config/rollup.js b/packages/config/rollup.js
index 2dbc2d16e0..2f8b96f7f5 100644
--- a/packages/config/rollup.js
+++ b/packages/config/rollup.js
@@ -81,6 +81,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         esbuild({ ...esBuildPluginOptions, target: "node18" }),
         commonjs(commonjsPluginOptions),
       ],
@@ -111,6 +120,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "esnext" }),
         commonjs(commonjsPluginOptions),
@@ -135,6 +153,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "es2015", minify: true }),
         commonjs(commonjsPluginOptions),