Safety update for jquery-colorbox.js

version 1.64 has XSS vulnerabilities which the author did not solve (archived)

include/thirdparty/colorbox/colorbox/jquery.colorbox.js

@@ -1,8 +1,18 @@
 /*!
-	Colorbox 1.6.4
+	Colorbox 1.6.4 - Patched
 	license: MIT
 	http://www.jacklmoore.com/colorbox
+	
+	Summary of Changes : github.com/gtbu 9/2025
+    escapeHtml function: Your escapeHtml function is correct and has been retained.
+    title and html: The title and html settings are now sanitized in the prep and load functions respectively, 
+	before being passed to .html().
+    Internationalization Strings: The current, previous, next, and close strings are now sanitized with escapeHtml 
+	before being used to create the UI.
+    Slideshow Controls: The slideshowStart and slideshowStop strings are also sanitized.
+    Error Messages: The imgError and xhrError messages are sanitized to prevent XSS through error conditions.	
 */
+
 (function ($, document, window) {
 	var
 	// Default settings object.
@@ -155,7 +165,7 @@
 	$prev,
 	$close,
 	$groupControls,
-	$events = $('<a/>'), // $({}) would be prefered, but there is an issue with jQuery 1.4.2
+	$events = $({}), // $events = $('<a/>'), - with jQuery 1.4.2
 
 	// Variables for cached values or use across multiple functions
 	settings,
@@ -179,6 +189,15 @@
 	// HELPER FUNCTIONS
 	// ****************
 
+    function escapeHtml(text) {
+      return String(text)
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+    }
+	
 	// Convenience function for creating new jQuery objects
 	function $tag(tag, id, css) {
 		var element = document.createElement(tag);
@@ -317,7 +336,7 @@
 
 		function start() {
 			$slideshow
-				.html(settings.get('slideshowStop'))
+				.html(escapeHtml(settings.get('slideshowStop')))
 				.unbind(click)
 				.one(click, stop);
 
@@ -336,7 +355,7 @@
 				.unbind(event_load, clear);
 
 			$slideshow
-				.html(settings.get('slideshowStart'))
+				.html(escapeHtml(settings.get('slideshowStart')))
 				.unbind(click)
 				.one(click, function () {
 					publicMethod.next();
@@ -455,7 +474,7 @@
 			}).show();
 
 			if (settings.get('closeButton')) {
-				$close.html(settings.get('close')).appendTo($content);
+				$close.html(escapeHtml(settings.get('close'))).appendTo($content);
 			} else {
 				$close.appendTo('<div/>'); // replace with .detach() when dropping jQuery < 1.4
 			}
@@ -834,16 +853,16 @@
 			};
 
 
-			$title.html(settings.get('title')).show();
+			$title.html(escapeHtml(settings.get('title'))).show();
 			$loaded.show();
 
 			if (total > 1) { // handle grouping
 				if (typeof settings.get('current') === "string") {
-					$current.html(settings.get('current').replace('{current}', index + 1).replace('{total}', total)).show();
+					$current.html(escapeHtml(settings.get('current')).replace('{current}', index + 1).replace('{total}', total)).show();
 				}
 
-				$next[(settings.get('loop') || index < total - 1) ? "show" : "hide"]().html(settings.get('next'));
-				$prev[(settings.get('loop') || index) ? "show" : "hide"]().html(settings.get('previous'));
+				$next[(settings.get('loop') || index < total - 1) ? "show" : "hide"]().html(escapeHtml(settings.get('next')));
+				$prev[(settings.get('loop') || index) ? "show" : "hide"]().html(escapeHtml(settings.get('previous')));
 
 				slideshow();
 
@@ -965,7 +984,7 @@
 			// to avoid problems with DOM-ready JS that might be trying to run in that iframe.
 			prep(" ");
 		} else if (settings.get('html')) {
-			prep(settings.get('html'));
+			prep(escapeHtml(settings.get('html')));
 		} else if (isImage(settings, href)) {
 
 			href = retinaUrl(settings, href);
@@ -975,14 +994,14 @@
 			$(photo)
 			.addClass(prefix + 'Photo')
 			.bind('error.'+prefix,function () {
-				prep($tag(div, 'Error').html(settings.get('imgError')));
+				prep($tag(div, 'Error').html(escapeHtml(settings.get('imgError'))));
 			})
 			.one('load', function () {
 				if (request !== requests) {
 					return;
 				}
 
-				// A small pause because some browsers will occassionaly report a
+				// A small pause because some browsers will occasionally report a
 				// img.width and img.height of zero immediately after the img.onload fires
 				setTimeout(function(){
 					var percent;
@@ -1030,7 +1049,7 @@
 		} else if (href) {
 			$loadingBay.load(href, settings.get('data'), function (data, status) {
 				if (request === requests) {
-					prep(status === 'error' ? $tag(div, 'Error').html(settings.get('xhrError')) : $(this).contents());
+					prep(status === 'error' ? $tag(div, 'Error').html(escapeHtml(settings.get('xhrError'))) : $(this).contents());
 				}
 			});
 		}
@@ -1102,4 +1121,4 @@
 
 	publicMethod.settings = defaults;
 
-}(jQuery, document, window));
+}(jQuery, document, window));

include/tool/Output/Combine.php

@@ -535,13 +535,13 @@ class Combine{
 			],
 		],
 
-		// Colorbox (1.6.3 MIT)
+		// Colorbox (1.6.4 MIT)
 		'colorbox' => [
 			'file'			=> '/include/thirdparty/colorbox/colorbox/jquery.colorbox.js',
 			'requires'		=> 'gp-main,colorbox-css',
 			'label'			=> 'Colorbox JS',
 			'cdn'			=> [
-				'CloudFlare'	=> 'https://cdnjs.cloudflare.com/ajax/libs/jquery.colorbox/1.6.3/jquery.colorbox-min.js',
+				'CloudFlare'	=> 'https://cdnjs.cloudflare.com/ajax/libs/jquery.colorbox/1.6.4/jquery.colorbox-min.js',
 			],
 		],