Jump to content

Updating jQuery 2.2.4 due to XSS vulnerabilities


asigno

Recommended Posts

  • 3 months later...
  • 3 months later...
On 9/25/2018 at 2:40 AM, bfarber said:

We don't (out of the box) use cross-domain requests so the reported issue is sort of moot.

That said, no it's not as simple as dropping in jQuery 3. Upgrading jQuery is something we're investigating for a future release, however.

@bfarber Hi, I noticed that 4.4 still has version 2.2.4 of Jquery, will this be changed for the public release?

Link to comment
Share on other sites

8 minutes ago, asigno said:

@bfarber Hi, I noticed that 4.4 still has version 2.2.4 of Jquery, will this be changed for the public release?

No - as Brandon mentioned, 2.2.4 is the last release of the 2.x series, and we cannot simply drop in jQuery 3, as that may require massive changes to the suite which we are not comfortable with doing this late in 4.4 development.

Link to comment
Share on other sites

jQuery 2.2.4 (which is the last of the 2.x series) is no longer receiving patches. I know from experience updating to jQuery 3.x is a PITA, so may I suggest taking the route (since it will be a PITA anyway) of dropping jQuery entirely and redo all the scripting in plain JavaScript instead?

I know this won't be something for consideration for 4.4 (or probably 4.5), but 5.0 should remove this dependency. With browser differences quickly becoming minimal these days, the need for something like jQuery is becoming less critical.

Link to comment
Share on other sites

39 minutes ago, Joy Rex said:

jQuery 2.2.4 (which is the last of the 2.x series) is no longer receiving patches. I know from experience updating to jQuery 3.x is a PITA, so may I suggest taking the route (since it will be a PITA anyway) of dropping jQuery entirely and redo all the scripting in plain JavaScript instead?

I know this won't be something for consideration for 4.4 (or probably 4.5), but 5.0 should remove this dependency. With browser differences quickly becoming minimal these days, the need for something like jQuery is becoming less critical.

What benefits do you believe would be gained by dropping support for jQuery?

Link to comment
Share on other sites

On 1/11/2019 at 9:22 AM, Ryan Ashbrook said:

No - as Brandon mentioned, 2.2.4 is the last release of the 2.x series, and we cannot simply drop in jQuery 3, as that may require massive changes to the suite which we are not comfortable with doing this late in 4.4 development.

I'm surprised that this wasn't taken onboard for 4.4. In fairness I wasn't insuinuating that you "simply drop in jQuery 3", but jQuery 3 was released almost 3 years ago, and my question was written 8 months ago following a hack using a known exploit in the 2.2.4 codebase.

https://snyk.io/vuln/npm:jquery:20150627

Cross-site Scripting (XSS)
Affecting jquery package, versions <3.0.0-beta1 >1.12.3 || <1.12.0 >=1.4.0
DISCLOSED 26 Jun, 2015
PUBLISHED 27 Nov, 2016

Link to comment
Share on other sites

Quote

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

This isn't a general exploit in jQuery itself - it's a security "hole" that is exposed when used in a specific manner, which we don't.

We will update jQuery in due course. This security issue is not a concern at this time, however.

Link to comment
Share on other sites

On 1/11/2019 at 11:25 AM, bfarber said:

What benefits do you believe would be gained by dropping support for jQuery?

  • One less library/dependency to keep up with and maintain
  • Less assets loading (from CDN or otherwise) on client machines (at least initially)
  • Faster DOM access with plain JS vs jQuery
  • jQuery was created to address browser JS inconsistency - this is far less a concern in 2019
  • A lot of the shortcuts introduced by jQuery are now in standard JS
  • jQuery 3 is years old now - if IPS updates to jQuery 3, jQuery's next major version could put us right back to where we are now (e.g., using an outdated version of jQuery)

And there's more, and probably some cons to straight JS over jQuery - I suppose it depends on how heavily "invested" IPS is using jQuery, and your engineers' preferences and experience with jQuery vs plain JS. I'm a jQuery fan and love all the scripts and plugins people have made over the years, but there too you have more libraries to maintain and update.

Also, there seems to be a trend nowadays to move from jQuery back to plain JS - how long before this trend is the standard?

This site has an interesting take on the jQuery vs JS debate - and guides you through common use scenarios to suggest whether you need jQuery or not: http://youmightnotneedjquery.com/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...