Security Advisories (9)

CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

https://security.snyk.io/vuln/SNYK-JS-JQUERY-174006

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

Yancy::Backend

VERSION

version 1.003

SYNOPSIS

my $be = Yancy::Backend->new( $url );

$result = $be->list( $collection, $where, $options );
say "Total: " . $result->{total};
say "Name: " . $_->{name} for @{ $result->{items} };

$item = $be->get( $collection, $id );
$be->set( $collection, $id, $item );
$be->delete( $collection, $id );
$item = $be->create( $collection, $id, $item );

DESCRIPTION

A Yancy::Backend handles talking to the database. Different Yancy backends will support different databases. To use a backend, see "SUPPORTED BACKENDS". To make your own backend, see "METHODS" for the list of methods you must implement, their arguments, and their return values.

Terminology

Yancy backends work with collections, which are made up of items. A collection is a set of items, like a database table. An item is a single element of a collection, and must be a hashref.

SUPPORTED BACKENDS

Yancy::Backend::Pg - Postgres backend
Yancy::Backend::Mysql - MySQL backend
Yancy::Backend::Sqlite - SQLite backend
Yancy::Backend::Dbic - DBIx::Class backend

METHODS

new

my $url = 'test://custom_string';
my $be = Yancy::Backend::Test->new( $url, $collections );

Create a new backend object. $url is a string that begins with the backend name followed by a colon. Everything else in the URL is for the backend to use to describe how to connect to the underlying database and any options for the backend object itself.

$collections is a hash reference of collection configuration from the Yancy configuration. Important configuration for the backend to support:

x-id-field: The name of the ID field for the collection. Defaults to id. It does not need to be the primary key: This can be any unique identifier.

The backend name will be run through ucfirst before being looked up in Yancy::Backend::. For example, mysql://... will use the Yancy::Backend::Mysql module.

list

my $result = $be->list( $collection, $where, $opt );
# { total => ..., items => [ ... ] }

Fetch a list of items from a collection. $collection is the collection name. $where is a SQL::Abstract where structure.

$opt is a hash reference with the following keys:

limit - The number of items to return
offset - The number of items to skip
order_by - A SQL::Abstract order by clause

Returns a hashref with two keys:

items: An array reference of hash references of item data
total: The total count of items that would be returned without limit or offset.

get

my $item = $be->get( $collection, $id );

Get a single item. $collection is the collection name. $id is the ID of the item to get. Returns a hashref of item data.

set

$be->set( $collection, $id, $item );

Update an item. $collection is the collection name. $id is the ID of the item to update. $item is the item's data to set. Returns a boolean that is true if a row with the given ID was found and updated, false otherwise.

create

my $id = $be->create( $collection, $item );

Create a new item. $collection is the collection name. $item is the item's data. Returns the ID of the row created suitable to be passed in to the get() method|/get.

delete

$be->delete( $collection, $id );

Delete an item. $collection is the collection name. $id is the ID of the item to delete. Returns a boolean that is true if a row with the given ID was found and deleted. False otherwise.

read_schema

my $schema = $be->read_schema;

Read the schema from the database tables. Returns an OpenAPI schema ready to be merged into the user's configuration.

AUTHOR

Doug Bell <preaction@cpan.org>

COPYRIGHT AND LICENSE

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.

To install Yancy, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Yancy

CPAN shell

perl -MCPAN -e shell
install Yancy

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)