Edgewall Software
Modify

Opened 7 years ago

Closed 3 years ago

Last modified 2 years ago

#12858 closed enhancement (fixed)

Upgrade to jQuery 3

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.5.4
Component: general Version:
Severity: normal Keywords: jquery security
Cc: Branch:
Release Notes:
API Changes:

Upgraded the bundled jQuery to version 3.6.0.

Internal Changes:

Description (last modified by Ryan J Ollos)

jQuery was upgraded to 1.12.4 in #12348 for the 1.4 release. For 1.5.1 We should upgrade to jQuery 3 and possibly include the jQuery migrate plugin in Trac.

Attachments (0)

Change History (29)

comment:1 by Ryan J Ollos, 7 years ago

Description: modified (diff)

comment:2 by Ryan J Ollos, 7 years ago

Description: modified (diff)
Milestone: 1.5.11.3.3
Owner: set to Ryan J Ollos
Status: newassigned

comment:3 by Ryan J Ollos, 7 years ago

Upgraded to jQuery 3.2.1 and replaced deprecated functions: log:rjollos.git:t12858_jquery3.

One issue noted so far: setting visibility of elements, like in r14346, results in a flicker on page load.

Last edited 7 years ago by Ryan J Ollos (previous) (diff)

comment:4 by Ryan J Ollos, 7 years ago

Milestone: 1.3.31.5.1
Owner: Ryan J Ollos removed
Status: assignednew

jQuery 3 drops support for IE6 - 8. While I don't particularly care about those old browsers, I've considered that it might be better to defer jQuery 3 adoption to 1.5.1. I committed a few changes in [16421:16424].

comment:5 by Ryan J Ollos, 5 years ago

Owner: set to Ryan J Ollos
Status: newassigned

comment:6 by Ryan J Ollos, 5 years ago

I will do more testing and push the changes in a few days.

comment:7 by Ryan J Ollos, 5 years ago

Type: defectenhancement

comment:8 by Ryan J Ollos, 5 years ago

Milestone: 1.5.11.5.3

comment:9 by Ryan J Ollos, 5 years ago

We may eventually need a replacement for jQuery Timepicker add-on since it's no longer maintained.

Last edited 5 years ago by Ryan J Ollos (previous) (diff)

comment:10 by teridon@…, 5 years ago

Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

in reply to:  10 comment:11 by Ryan J Ollos, 5 years ago

Replying to teridon@…:

Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

We'll upgrade to the latest jQuery in this ticket, whether that be 3.5.1 or a later version.

I don't know if earlier versions of Trac that use jQuery 1.x are impacted. I assume that any HTML created using a jQuery object would be passed through the regex, so anything like the following could be affected: tags/trac-1.4.2/trac/htdocs/js/query.js@:176#L165. We'd need to know more about the corner cases that make the code vulnerable to XSS.

comment:12 by Jun Omae, 4 years ago

#13347 was closed as a duplicate.

The current version of jquery shipped with Trac-stable and Trac-dev is 1.12.4 and contains publicly reported vulnerabilities: https://snyk.io/vuln/npm:jquery

comment:13 by figaro, 4 years ago

Keywords: security added

Copying keyword from duplicate ticket, which was a motivation for posting it.

comment:14 by Ryan J Ollos, 4 years ago

Milestone: 1.5.31.5.4

comment:15 by Ryan J Ollos, 4 years ago

Latest jQuery is 3.6.0. I'll update the branch with proposed changes.

DONE update JavaScript page.

Last edited 4 years ago by Ryan J Ollos (previous) (diff)

comment:16 by Ryan J Ollos, 4 years ago

API Changes: modified (diff)

comment:17 by Ryan J Ollos, 4 years ago

Proposed changes in log:rjollos.git:t12858_jquery3.

I'm getting some intermittent failures that I haven't determined the cause of yet. The traceback always looks like this:

======================================================================
ERROR: runTest (trac.ticket.tests.functional.main.RegressionTestTicket5602)
Test for regression of https://trac.edgewall.org/ticket/5602
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 439, in _find_by
    return driver.find_element_by_css_selector(args[0])
  File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 598, in find_element_by_css_selector
    return self.find_element(by=By.CSS_SELECTOR, value=css_selector)
  File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 976, in find_element
    return self.execute(Command.FIND_ELEMENT, {
  File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.NoSuchElementException: Message: Unable to locate element: #propertyform .collapsed .foldable a


The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/ticket/tests/functional/main.py", line 1322, in runTest
    tc.click('#propertyform .collapsed .foldable a')
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 163, in click
    self._find_by(*args, **kwargs).click()
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 444, in _find_by
    raise AssertionError('Missing element (%r, %r) in %s' %
AssertionError: Missing element (('#propertyform .collapsed .foldable a',), {}) in file:///Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/testenv/trac/log/RegressionTestTicket5602.html

in reply to:  17 comment:18 by Ryan J Ollos, 4 years ago

Replying to Ryan J Ollos:

I'm getting some intermittent failures that I haven't determined the cause of yet. The traceback always looks like this:

Hmmmm, not seeing these failures today in more than a dozen test executions.

comment:19 by Ryan J Ollos, 4 years ago

Committed r17551 to make this intermittent failure more obvious (timing issue?):

======================================================================
ERROR: runTest (trac.wiki.tests.functional.TestWikiReadonlyAttribute)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/wiki/tests/functional.py", line 236, in runTest
    tc.find(readonly_checkbox)
  File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 209, in find
    raise AssertionError("Regex didn't match: {!r} not found in {}"
AssertionError: Regex didn't match: '<input type="checkbox" name="readonly" id="readonly"/>' not found in file:///Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/testenv/trac/log/TestWikiReadonlyAttribute.html

comment:20 by Jun Omae, 4 years ago

Yes. I noticed we should check page load and wait for jQuery.ready() on the page load when visiting an URL, submitting a form, clicking a link, etc.: [4aae058ed/jomae.git].

After the changes, 1 failure.

======================================================================
ERROR: runTest (trac.ticket.tests.functional.main.TestTicketTimeline)
Test ticket details on timeline
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jun66j5/src/tracdev/git/trac/ticket/tests/functional/main.py", line 682, in runTest
    tc.submit(formname='prefs')
  File "/home/jun66j5/src/tracdev/git/trac/tests/functional/better_twill.py", line 400, in submit
    element.click()
  File "/usr/lib/python3.9/contextlib.py", line 124, in __exit__
    next(self.gen)
  File "/home/jun66j5/src/tracdev/git/trac/tests/functional/better_twill.py", line 544, in _wait_for_page_load
    raise AssertionError('Timed out for page load in %s' %
AssertionError: Timed out for page load in file:///home/jun66j5/src/tracdev/git/testenv/trac/log/TestTicketTimeline.html

comment:21 by Ryan J Ollos, 4 years ago

Looks good. I also see just the one test failure TestTicketTimeline.

comment:22 by Jun Omae, 4 years ago

The failure occurs because the page is not loaded when the form generates the same of current URL with #. Root cause is lead by <form action="#"> which is introduced in switching to Jinja2 template and HTML5. HTML5 doesn't support empty action attribute of form: [c3c382062/cboos.git].

I think we could use the path of the request rather than <form action="#">: [66f8c7c49/jomae.git]

in reply to:  22 ; comment:23 by Ryan J Ollos, 4 years ago

Replying to Jun Omae:

I think we could use the path of the request rather than <form action="#">: [66f8c7c49/jomae.git]

That looks good. All tests pass for me. Do you want to push the changes?

in reply to:  23 comment:24 by Jun Omae, 4 years ago

Replying to Ryan J Ollos:

Replying to Jun Omae:

I think we could use the path of the request rather than <form action="#">: [66f8c7c49/jomae.git]

That looks good. All tests pass for me. Do you want to push the changes?

Yes, if no issue is lead by the changes.

However, the NoSuchElementException randomly happens when finding a element in the foldable element after new ticket is created.

In [301efb439/jomae.git], add toggle_foldable() method to wait present of a element in foldable element and toggle it, in order to fix it.

comment:25 by Ryan J Ollos, 4 years ago

The changes look good. I ran the tests a half-dozen times on macOS with no failures.

comment:26 by Ryan J Ollos, 3 years ago

Do you think the changes are ready to push? They look good to me.

comment:27 by Ryan J Ollos, 3 years ago

Resolution: fixed
Status: assignedclosed

Committed changes to trunk in r17562.

comment:29 by Ryan J Ollos, 2 years ago

#13494

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.