#12858 closed enhancement (fixed)
Upgrade to jQuery 3
| Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.5.4 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | jquery security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: |
Upgraded the bundled jQuery to version 3.6.0. |
||
| Internal Changes: | |||
Description (last modified by )
jQuery was upgraded to 1.12.4 in #12348 for the 1.4 release. For 1.5.1 We should upgrade to jQuery 3 and possibly include the jQuery migrate plugin in Trac.
Attachments (0)
Change History (29)
comment:1 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 7 years ago
| Description: | modified (diff) |
|---|---|
| Milestone: | 1.5.1 → 1.3.3 |
| Owner: | set to |
| Status: | new → assigned |
comment:4 by , 7 years ago
| Milestone: | 1.3.3 → 1.5.1 |
|---|---|
| Owner: | removed |
| Status: | assigned → new |
jQuery 3 drops support for IE6 - 8. While I don't particularly care about those old browsers, I've considered that it might be better to defer jQuery 3 adoption to 1.5.1. I committed a few changes in [16421:16424].
comment:5 by , 5 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:7 by , 5 years ago
| Type: | defect → enhancement |
|---|
comment:8 by , 5 years ago
| Milestone: | 1.5.1 → 1.5.3 |
|---|
comment:9 by , 4 years ago
We may eventually need a replacement for jQuery Timepicker add-on since it's no longer maintained.
follow-up: 11 comment:10 by , 4 years ago
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
comment:11 by , 4 years ago
Replying to teridon@…:
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
We'll upgrade to the latest jQuery in this ticket, whether that be 3.5.1 or a later version.
I don't know if earlier versions of Trac that use jQuery 1.x are impacted. I assume that any HTML created using a jQuery object would be passed through the regex, so anything like the following could be affected: tags/trac-1.4.2/trac/htdocs/js/query.js@:176#L165. We'd need to know more about the corner cases that make the code vulnerable to XSS.
comment:12 by , 4 years ago
#13347 was closed as a duplicate.
The current version of jquery shipped with Trac-stable and Trac-dev is 1.12.4 and contains publicly reported vulnerabilities: https://snyk.io/vuln/npm:jquery
comment:13 by , 4 years ago
| Keywords: | security added |
|---|
Copying keyword from duplicate ticket, which was a motivation for posting it.
comment:14 by , 4 years ago
| Milestone: | 1.5.3 → 1.5.4 |
|---|
comment:15 by , 3 years ago
Latest jQuery is 3.6.0. I'll update the branch with proposed changes.
DONE update JavaScript page.
comment:16 by , 3 years ago
| API Changes: | modified (diff) |
|---|
follow-up: 18 comment:17 by , 3 years ago
Proposed changes in log:rjollos.git:t12858_jquery3.
I'm getting some intermittent failures that I haven't determined the cause of yet. The traceback always looks like this:
======================================================================
ERROR: runTest (trac.ticket.tests.functional.main.RegressionTestTicket5602)
Test for regression of https://trac.edgewall.org/ticket/5602
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 439, in _find_by
return driver.find_element_by_css_selector(args[0])
File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 598, in find_element_by_css_selector
return self.find_element(by=By.CSS_SELECTOR, value=css_selector)
File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 976, in find_element
return self.execute(Command.FIND_ELEMENT, {
File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
self.error_handler.check_response(response)
File "/Users/rjollos/.pyenv/versions/trac-py395/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.NoSuchElementException: Message: Unable to locate element: #propertyform .collapsed .foldable a
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/ticket/tests/functional/main.py", line 1322, in runTest
tc.click('#propertyform .collapsed .foldable a')
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 163, in click
self._find_by(*args, **kwargs).click()
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 444, in _find_by
raise AssertionError('Missing element (%r, %r) in %s' %
AssertionError: Missing element (('#propertyform .collapsed .foldable a',), {}) in file:///Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/testenv/trac/log/RegressionTestTicket5602.html
comment:18 by , 3 years ago
Replying to Ryan J Ollos:
I'm getting some intermittent failures that I haven't determined the cause of yet. The traceback always looks like this:
Hmmmm, not seeing these failures today in more than a dozen test executions.
comment:19 by , 3 years ago
Committed r17551 to make this intermittent failure more obvious (timing issue?):
======================================================================
ERROR: runTest (trac.wiki.tests.functional.TestWikiReadonlyAttribute)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/wiki/tests/functional.py", line 236, in runTest
tc.find(readonly_checkbox)
File "/Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/trac/tests/functional/better_twill.py", line 209, in find
raise AssertionError("Regex didn't match: {!r} not found in {}"
AssertionError: Regex didn't match: '<input type="checkbox" name="readonly" id="readonly"/>' not found in file:///Users/rjollos/Documents/Workspace/trac-dev/teo-rjollos.git/testenv/trac/log/TestWikiReadonlyAttribute.html
comment:20 by , 3 years ago
Yes. I noticed we should check page load and wait for jQuery.ready() on the page load when visiting an URL, submitting a form, clicking a link, etc.: [4aae058ed/jomae.git].
After the changes, 1 failure.
======================================================================
ERROR: runTest (trac.ticket.tests.functional.main.TestTicketTimeline)
Test ticket details on timeline
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/jun66j5/src/tracdev/git/trac/ticket/tests/functional/main.py", line 682, in runTest
tc.submit(formname='prefs')
File "/home/jun66j5/src/tracdev/git/trac/tests/functional/better_twill.py", line 400, in submit
element.click()
File "/usr/lib/python3.9/contextlib.py", line 124, in __exit__
next(self.gen)
File "/home/jun66j5/src/tracdev/git/trac/tests/functional/better_twill.py", line 544, in _wait_for_page_load
raise AssertionError('Timed out for page load in %s' %
AssertionError: Timed out for page load in file:///home/jun66j5/src/tracdev/git/testenv/trac/log/TestTicketTimeline.html
follow-up: 23 comment:22 by , 3 years ago
The failure occurs because the page is not loaded when the form generates the same of current URL with #. Root cause is lead by <form action="#"> which is introduced in switching to Jinja2 template and HTML5. HTML5 doesn't support empty action attribute of form: [c3c382062/cboos.git].
I think we could use the path of the request rather than <form action="#">: [66f8c7c49/jomae.git]
follow-up: 24 comment:23 by , 3 years ago
Replying to Jun Omae:
I think we could use the path of the request rather than
<form action="#">: [66f8c7c49/jomae.git]
That looks good. All tests pass for me. Do you want to push the changes?
comment:24 by , 3 years ago
Replying to Ryan J Ollos:
Replying to Jun Omae:
I think we could use the path of the request rather than
<form action="#">: [66f8c7c49/jomae.git]That looks good. All tests pass for me. Do you want to push the changes?
Yes, if no issue is lead by the changes.
However, the NoSuchElementException randomly happens when finding a element in the foldable element after new ticket is created.
- https://travis-ci.com/github/jun66j5/trac/jobs/511529272
- https://ci.appveyor.com/project/jun66j5/trac/builds/39485388/job/gyt3r8g72679b2ee
- https://github.com/jun66j5/trac/actions/runs/911199074
In [301efb439/jomae.git], add toggle_foldable() method to wait present of a element in foldable element and toggle it, in order to fix it.
comment:25 by , 3 years ago
The changes look good. I ran the tests a half-dozen times on macOS with no failures.
comment:27 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Committed changes to trunk in r17562.
Upgraded to jQuery 3.2.1 and replaced deprecated functions: log:rjollos.git:t12858_jquery3.
One issue noted so far: setting visibility of elements, like in r14346, results in a flicker on page load.