Opened 7 years ago
Last modified 17 months ago
#12858 closed enhancement
Upgrade to jQuery 3 — at Version 16
Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | normal | Milestone: | 1.5.4 |
Component: | general | Version: | |
Severity: | normal | Keywords: | jquery security |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: |
Upgraded the bundled jQuery to version 3.6.0. |
||
Internal Changes: |
Description (last modified by )
jQuery was upgraded to 1.12.4 in #12348 for the 1.4 release. For 1.5.1 We should upgrade to jQuery 3 and possibly include the jQuery migrate plugin in Trac.
Change History (16)
comment:1 by , 7 years ago
Description: | modified (diff) |
---|
comment:2 by , 7 years ago
Description: | modified (diff) |
---|---|
Milestone: | 1.5.1 → 1.3.3 |
Owner: | set to |
Status: | new → assigned |
comment:4 by , 6 years ago
Milestone: | 1.3.3 → 1.5.1 |
---|---|
Owner: | removed |
Status: | assigned → new |
jQuery 3 drops support for IE6 - 8. While I don't particularly care about those old browsers, I've considered that it might be better to defer jQuery 3 adoption to 1.5.1. I committed a few changes in [16421:16424].
comment:5 by , 5 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:7 by , 4 years ago
Type: | defect → enhancement |
---|
comment:8 by , 4 years ago
Milestone: | 1.5.1 → 1.5.3 |
---|
comment:9 by , 4 years ago
We may eventually need a replacement for jQuery Timepicker add-on since it's no longer maintained.
follow-up: 11 comment:10 by , 4 years ago
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
comment:11 by , 4 years ago
Replying to teridon@…:
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
We'll upgrade to the latest jQuery in this ticket, whether that be 3.5.1 or a later version.
I don't know if earlier versions of Trac that use jQuery 1.x are impacted. I assume that any HTML created using a jQuery object would be passed through the regex, so anything like the following could be affected: tags/trac-1.4.2/trac/htdocs/js/query.js@:176#L165. We'd need to know more about the corner cases that make the code vulnerable to XSS.
comment:12 by , 3 years ago
#13347 was closed as a duplicate.
The current version of jquery shipped with Trac-stable and Trac-dev is 1.12.4 and contains publicly reported vulnerabilities: https://snyk.io/vuln/npm:jquery
comment:13 by , 3 years ago
Keywords: | security added |
---|
Copying keyword from duplicate ticket, which was a motivation for posting it.
comment:14 by , 3 years ago
Milestone: | 1.5.3 → 1.5.4 |
---|
comment:15 by , 3 years ago
Latest jQuery is 3.6.0. I'll update the branch with proposed changes.
DONE update JavaScript page.
comment:16 by , 3 years ago
API Changes: | modified (diff) |
---|
Upgraded to jQuery 3.2.1 and replaced deprecated functions: log:rjollos.git:t12858_jquery3.
One issue noted so far: setting visibility of elements, like in r14346, results in a flicker on page load.