Edgewall Software
Modify

Opened 3 years ago

Last modified 3 months ago

#12858 assigned enhancement

Upgrade to jQuery 3

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.5.3
Component: general Version:
Severity: normal Keywords: jquery
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

jQuery was upgraded to 1.12.4 in #12348 for the 1.4 release. For 1.5.1 We should upgrade to jQuery 3 and possibly include the jQuery migrate plugin in Trac.

Attachments (0)

Change History (11)

comment:1 by Ryan J Ollos, 3 years ago

Description: modified (diff)

comment:2 by Ryan J Ollos, 3 years ago

Description: modified (diff)
Milestone: 1.5.11.3.3
Owner: set to Ryan J Ollos
Status: newassigned

comment:3 by Ryan J Ollos, 3 years ago

Upgraded to jQuery 3.2.1 and replaced deprecated functions: log:rjollos.git:t12858_jquery3.

One issue noted so far: setting visibility of elements, like in r14346, results in a flicker on page load.

Last edited 3 years ago by Ryan J Ollos (previous) (diff)

comment:4 by Ryan J Ollos, 3 years ago

Milestone: 1.3.31.5.1
Owner: Ryan J Ollos removed
Status: assignednew

jQuery 3 drops support for IE6 - 8. While I don't particularly care about those old browsers, I've considered that it might be better to defer jQuery 3 adoption to 1.5.1. I committed a few changes in [16421:16424].

comment:5 by Ryan J Ollos, 13 months ago

Owner: set to Ryan J Ollos
Status: newassigned

comment:6 by Ryan J Ollos, 13 months ago

I will do more testing and push the changes in a few days.

comment:7 by Ryan J Ollos, 8 months ago

Type: defectenhancement

comment:8 by Ryan J Ollos, 5 months ago

Milestone: 1.5.11.5.3

comment:9 by Ryan J Ollos, 4 months ago

We may eventually need a replacement for jQuery Timepicker add-on since it's no longer maintained.

Last edited 4 months ago by Ryan J Ollos (previous) (diff)

comment:10 by teridon@…, 3 months ago

Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

in reply to:  10 comment:11 by Ryan J Ollos, 3 months ago

Replying to teridon@…:

Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

We'll upgrade to the latest jQuery in this ticket, whether that be 3.5.1 or a later version.

I don't know if earlier versions of Trac that use jQuery 1.x are impacted. I assume that any HTML created using a jQuery object would be passed through the regex, so anything like the following could be affected: tags/trac-1.4.2/trac/htdocs/js/query.js@:176#L165. We'd need to know more about the corner cases that make the code vulnerable to XSS.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as assigned The owner will remain Ryan J Ollos.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.