From 1b69c98299c9770b1c900c8c2cfb34e43b3906f2 Mon Sep 17 00:00:00 2001 From: Mohammed Noumaan Ahamed Date: Fri, 2 Jan 2026 16:59:50 +0530 Subject: [PATCH 1/3] fix: enhance security by safely parsing HTML and validating selectors in Magnific Popup --- app/assets/js/vendors/magnific-popup.js | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/app/assets/js/vendors/magnific-popup.js b/app/assets/js/vendors/magnific-popup.js index 17737b06d..6331f2503 100644 --- a/app/assets/js/vendors/magnific-popup.js +++ b/app/assets/js/vendors/magnific-popup.js @@ -93,8 +93,8 @@ var _mfpOn = function(name, f) { // 1. Create the raw markup (removing the placeholder string first) var rawMarkup = mfp.st.closeMarkup.replace('%title%', ''); - // 2. Parse it into a jQuery object - var $btn = $(rawMarkup); + // 2. Parse it into a jQuery object SAFELY using $.parseHTML + var $btn = $($.parseHTML(rawMarkup)); // 3. Set the title attribute safely (jQuery handles the escaping) $btn.attr('title', mfp.st.tClose); @@ -365,10 +365,15 @@ MagnificPopup.prototype = { // add everything to DOM var appendToEl = mfp.st.prependTo || $(document.body); - // FIX: If prependTo is a string, force it to be a selector - // by looking it up inside the body, rather than letting jQuery evaluate it. - if (typeof mfp.st.prependTo === 'string') { - appendToEl = $(document.body).find(mfp.st.prependTo); + if (typeof mfp.st.prependTo === 'string') { + // FIX: Use document.querySelector to ensure the string is treated + // strictly as a CSS selector and not executable HTML. + try { + appendToEl = $(document.querySelector(mfp.st.prependTo)); + } catch (e) { + // Fallback to body if the selector is invalid + appendToEl = $(document.body); + } } mfp.bgOverlay.add(mfp.wrap).prependTo( appendToEl ); From 316275ad0cae67a29db83d8111b747feb39537a4 Mon Sep 17 00:00:00 2001 From: Mohammed Noumaan Ahamed Date: Fri, 2 Jan 2026 17:06:35 +0530 Subject: [PATCH 2/3] fix: improve element selection in Magnific Popup by validating selectors and providing a fallback --- app/assets/js/vendors/magnific-popup.js | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/app/assets/js/vendors/magnific-popup.js b/app/assets/js/vendors/magnific-popup.js index 6331f2503..e7362f4b8 100644 --- a/app/assets/js/vendors/magnific-popup.js +++ b/app/assets/js/vendors/magnific-popup.js @@ -369,8 +369,17 @@ MagnificPopup.prototype = { // FIX: Use document.querySelector to ensure the string is treated // strictly as a CSS selector and not executable HTML. try { - appendToEl = $(document.querySelector(mfp.st.prependTo)); - } catch (e) { + // 1. Attempt to query the element + var el = document.querySelector(mfp.st.prependTo); + + // 2. Check if the element actually exists (querySelector returns null if not found) + if (el) { + appendToEl = $(el); + } else { + // Valid selector but element not found in DOM -> Fallback to body + appendToEl = $(document.body); + } + } catch (e) { // Fallback to body if the selector is invalid appendToEl = $(document.body); } From 67e3d1ef8d62a2b071c3673a2e5365acc3475935 Mon Sep 17 00:00:00 2001 From: Mohammed Noumaan Ahamed Date: Fri, 2 Jan 2026 17:35:08 +0530 Subject: [PATCH 3/3] fix: update comment --- app/assets/js/vendors/magnific-popup.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/assets/js/vendors/magnific-popup.js b/app/assets/js/vendors/magnific-popup.js index e7362f4b8..d2ac24602 100644 --- a/app/assets/js/vendors/magnific-popup.js +++ b/app/assets/js/vendors/magnific-popup.js @@ -366,8 +366,7 @@ MagnificPopup.prototype = { var appendToEl = mfp.st.prependTo || $(document.body); if (typeof mfp.st.prependTo === 'string') { - // FIX: Use document.querySelector to ensure the string is treated - // strictly as a CSS selector and not executable HTML. + // Use document.querySelector to ensure the string is treated try { // 1. Attempt to query the element var el = document.querySelector(mfp.st.prependTo);