-
Notifications
You must be signed in to change notification settings - Fork 20.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid links exist in jquery #4981
Comments
The blindsignals site indeed seems to be malicious now, but the link goes to the Web Archive copy (which is not malicious). Still probably worth removing (or replacing) the link. |
Related issue: #4980 |
This happens pretty often with old sites - they expire & are bought by folks trying to leverage the domain being saved for many users. That said, we are referring to a Web Archive snapshot which is fine. There's no other way to still refer to the old content. Should we just delete the link? I'm not sure if it's always a good strategy. For example, this old jQuery blog post refers to an expired @timmywil @gibson042 @dmethvin what do you think? |
We'll remove these links from source, but leave the blog posts for now. |
we are using angular js , which use jqlite. Is this vulnerability exist also in jqlite? |
@adiGershon There's no vulnerability here, neither in jQuery, nor in jqLite. The issue is just a link in a code comment and comments are ignored when code is run. |
Both of the removed links are not crucial; one of them refers to a site that has since started being malicious; while the Web Archive links remain safe, some scanners warn about such links. Removing them is the safest thing to do. Fixes jquerygh-4981
PR: #4991 |
Neither of the removed links is crucial; one of them refers to a site that has since started being malicious; while the Web Archive links remain safe, some scanners warn about such links. Removing them is the safest thing to do. Fixes jquerygh-4981
Neither of the removed links is crucial; one of them refers to a site that has since started being malicious; while the Web Archive links remain safe, some scanners warn about such links. Removing them is the safest thing to do. Fixes jquerygh-4981
Do you know when supposed to release a new version of JQuery without this issue? |
Those links do not show up in the production version of jQuery anyway?! |
We can't provide any dates. We still have a few things to fix for the next release. |
FYI: My company is requiring this to be closed by April 6th. Fortify found this issue back on December 6th. I suspect this is going to effect a lot of large companies. If the release is not ready soon, we would appreciate at least some sort of patch release to address it. |
This is getting really ridiculous, non-technical people are asking to replace jquery just because some old url in commented out code and that raised some alert. This is not even a real security problem. |
Yup. The joys of running Fortify in a big company. And while I can use this actual issue to open a discussion with our security team to apply common sense, I can’t say every company will. The 120 day moderate security issue I believe is a default Fortify policy. |
jquery/dist/jquery.js:
// https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
The 'http://blindsignals.com/index.php/2009/07/jquery-delay/' is a malicious web site
The text was updated successfully, but these errors were encountered: