Opened 7 years ago
Last modified 17 months ago
#12858 closed enhancement
Upgrade to jQuery 3 — at Version 16
| Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.5.4 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | jquery security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: |
Upgraded the bundled jQuery to version 3.6.0. |
||
| Internal Changes: | |||
Description (last modified by )
jQuery was upgraded to 1.12.4 in #12348 for the 1.4 release. For 1.5.1 We should upgrade to jQuery 3 and possibly include the jQuery migrate plugin in Trac.
Change History (16)
comment:1 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 7 years ago
| Description: | modified (diff) |
|---|---|
| Milestone: | 1.5.1 → 1.3.3 |
| Owner: | set to |
| Status: | new → assigned |
comment:4 by , 6 years ago
| Milestone: | 1.3.3 → 1.5.1 |
|---|---|
| Owner: | removed |
| Status: | assigned → new |
jQuery 3 drops support for IE6 - 8. While I don't particularly care about those old browsers, I've considered that it might be better to defer jQuery 3 adoption to 1.5.1. I committed a few changes in [16421:16424].
comment:5 by , 5 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:7 by , 4 years ago
| Type: | defect → enhancement |
|---|
comment:8 by , 4 years ago
| Milestone: | 1.5.1 → 1.5.3 |
|---|
comment:9 by , 4 years ago
We may eventually need a replacement for jQuery Timepicker add-on since it's no longer maintained.
follow-up: 11 comment:10 by , 4 years ago
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
comment:11 by , 4 years ago
Replying to teridon@…:
Should CVE-2020-11022 and CVE-2020-11023 affect the timeline of this enhancement? Or is trac non vulnerable because it doesn't accept HTML input? Reference: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
We'll upgrade to the latest jQuery in this ticket, whether that be 3.5.1 or a later version.
I don't know if earlier versions of Trac that use jQuery 1.x are impacted. I assume that any HTML created using a jQuery object would be passed through the regex, so anything like the following could be affected: tags/trac-1.4.2/trac/htdocs/js/query.js@:176#L165. We'd need to know more about the corner cases that make the code vulnerable to XSS.
comment:12 by , 3 years ago
#13347 was closed as a duplicate.
The current version of jquery shipped with Trac-stable and Trac-dev is 1.12.4 and contains publicly reported vulnerabilities: https://snyk.io/vuln/npm:jquery
comment:13 by , 3 years ago
| Keywords: | security added |
|---|
Copying keyword from duplicate ticket, which was a motivation for posting it.
comment:14 by , 3 years ago
| Milestone: | 1.5.3 → 1.5.4 |
|---|
comment:15 by , 3 years ago
Latest jQuery is 3.6.0. I'll update the branch with proposed changes.
DONE update JavaScript page.
comment:16 by , 3 years ago
| API Changes: | modified (diff) |
|---|
Upgraded to jQuery 3.2.1 and replaced deprecated functions: log:rjollos.git:t12858_jquery3.
One issue noted so far: setting visibility of elements, like in r14346, results in a flicker on page load.