From 8e3657e90c08784f9dc6cb0fab01a3607f957efc Mon Sep 17 00:00:00 2001
From: Oliver Behnke <oliver.behnke@aei.mpg.de>
Date: Thu, 17 Sep 2020 11:04:46 +0200
Subject: [PATCH] Drupal: SA-CORE-2020-007 fix for ctools

https://dev.gridrepublic.org/browse/DBOINCP-530
---
 .../boinc/modules/contrib/ctools/ctools.info  |  4 ++--
 .../contrib/ctools/js/ajax-responder.js       | 20 +++++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info b/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info
index f321927c63..a5ec3a8de4 100644
--- a/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info
+++ b/drupal/sites/default/boinc/modules/contrib/ctools/ctools.info
@@ -3,8 +3,8 @@ description = A library of helpful tools by Merlin of Chaos.
 core = 6.x
 package = Chaos tool suite
 ; Information added by Drupal.org packaging script on 2015-12-22
-version = "6.x-1.15-boinc-2-dev"
+version = "6.x-1.15-boinc-3-dev"
 core = "6.x"
 project = "ctools"
-datestamp = "1548704188"
+datestamp = "1600333247"
 
diff --git a/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js b/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js
index 530acc3a7c..44669ed76f 100644
--- a/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js
+++ b/drupal/sites/default/boinc/modules/contrib/ctools/js/ajax-responder.js
@@ -50,7 +50,7 @@
     var $objects = $('a[href="' + old_url + '"]');
     $objects.addClass('ctools-fetching');
     try {
-      var url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+      var url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
       var ajaxOptions = {
         type: "POST",
         url: url,
@@ -68,7 +68,8 @@
         complete: function() {
           $objects.removeClass('ctools-fetching');
         },
-        dataType: 'json'
+        dataType: 'json',
+        jsonp: false
       };
       $.ajax(ajaxOptions);
     }
@@ -117,7 +118,7 @@
     }
     $(this).addClass('ctools-ajaxing');
     try {
-      url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+      url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
       $.ajax({
         type: "POST",
         url: url,
@@ -131,7 +132,8 @@
         complete: function() {
           $('.ctools-ajaxing').removeClass('ctools-ajaxing');
         },
-        dataType: 'json'
+        dataType: 'json',
+        jsonp: false
       });
     }
     catch (err) {
@@ -159,7 +161,7 @@
     $(this).addClass('ctools-ajaxing');
     try {
       if (url) {
-        url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+        url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
         $.ajax({
           type: "POST",
           url: url,
@@ -173,7 +175,8 @@
           complete: function() {
             $('.ctools-ajaxing').removeClass('ctools-ajaxing');
           },
-          dataType: 'json'
+          dataType: 'json',
+          jsonp: false
         });
       }
       else {
@@ -329,7 +332,7 @@
     var form_id = $object.parents('form').get(0).id;
     try {
       if (url) {
-        url = Drupal.CTools.AJAX.urlReplaceNojs(url);
+        url = Drupal.sanitizeAjaxUrl(Drupal.CTools.AJAX.urlReplaceNojs(url));
         $.ajax({
           type: "POST",
           url: url,
@@ -346,7 +349,8 @@
               $('form#' + form_id).submit();
             }
           },
-          dataType: 'json'
+          dataType: 'json',
+          jsonp: false
         });
       }
       else {