Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jQuery past known vulnerabilities #511

Open
RudolfCardinal opened this issue May 1, 2021 · 1 comment
Open

Upgrade jQuery past known vulnerabilities #511

RudolfCardinal opened this issue May 1, 2021 · 1 comment

Comments

@RudolfCardinal
Copy link
Contributor

Thanks for Deform; lovely work!
An question/issue re the jQuery versuib and security:

This was pointed out to us by a penetration testing company. They note that the potential exploit methods are complex, but I'm afraid I don't know whether this is in effect a false positive or whether it is a real concern. However, on the assumption that they are right:

Could Deform ship with a more recent jQuery version? I note this is clearly not as simple as dropping in the current version (3.6.0 does not work)! Many thanks for thinking about this.
@stevepiercy
Copy link
Member

Yes, Deform could (and should) use a more current and secure version of jQuery.

I would accept a PR that passes all functional tests. I'd be happy to assist you with the setup if you want to do the necessary work.

Putting JavaScripts in the <head> was done because no one could figure out how to inject jQuery inside the closing </body> and inject a widget's JavaScripts after it. We did some work to make this more flexible, and more work is needed to complete the task.

Additionally we now have two branches.

  • main is where development of the upcoming Deform 3.0 release takes place. It will use Bootstrap 5 and drop support for EOLed Python versions. We will also consider either replacing or dropping incompatible widgets that depend on a vulnerable version of jQuery. Demo: https://deformdemo3.pylonsproject.org/
  • 2.0-branch receives backported changes from main. This branch will get minimal changes to support backward compatibility. Demo: https://deformdemo.pylonsproject.org/

This was referenced May 2, 2021
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevepiercy @RudolfCardinal