[BUG] data-ajax-replace strips away target attribute #9390
Comments
|
#9313 discusses this issue. |
|
@ahmad-shahid that is the expected behaviour since we applied security fix to jQuery through DomPurify. That change was documented into our release note of wet-boew. This is not only applicable to data-ajax, but to any HTML code that get parsed through a jQuery command for wet-boew and any third party script that use jQuery. However, @Christopher-O has submitted a request to Principal Publisher in order to support a valid use case of opening a new windows when the web author has applied additional security measure to prevent tabnabbing exploit. @ahmad-shahid your proposed use case is currently not valid. I suggest you to submit also a request to Principal Publisher regarding that. \cc @GormFrank |
duboisp
added
Need: Use case
ghost
mentioned this issue
|
yes 4.0.44.x causing us some kind of issue in this regard. I'm highly skeptical of "security" "fixes" that break functionality unfortunately I don't have the time to investigate fully or to propose an alternative fix. What's most broken about this is there's no exception, no console log, no warning about the offending behavior. What did we do wrong? Which CVE is offended? Who knows. As a developer we're supposed to dig dig dig dig dig and unravel someone elses decisions to even figure out why things stop working with a new release of wet-boew. In this case we often won't notice or find out until months after upgrading when someone complains. There are limits to automated test coverage. Good friendly assistance would be to offer API breakages with a helpful log message pointing to the cve and explaining why we've offended someone or some thing , or better yet, to find ways to solve the cve without breaking functionality. Please throw us a few bones here. We're hungry dogs sludging it out in the trenches. |
|
@joejoseph00 we have followed the recommendation as stated by the CVE which was to leverage DOMPurify as we noted in our release notes of v4.0.44.x Here the security advisories: Our solution of fixing jQuery v2 directly was chosen because it was the fastest and easiest way to quickly fix the security issue. A lot more of work and a lot more of testing would be required if we tried to move to jQuery 3. Although, we had a community member @neilmispelaar that started that migration project awhile ago (Research 2019-16) but it is still incomplete. You are welcome to help us.
In this specific situation, that change is not consider as an "API breakages" which I interpret as major change" according to our versioning and our versioning public API which is currently under review with a lot more details If you need immediate answer to a question or want to know how you can contribute to fix issue in wet-boew (and gcweb), you can join us at anytime during our weekly Tuesday afternoon office hours. You will find the MS Team meeting link in our wiki page. |
|
CVE-2020-11023 This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary. Perhaps someone is disputing this? |
Hello, an issue has come up for CDTS. I was hoping to get your thoughts on this.
When using data-ajax-replace, if I'm inserting an anchor tag with a target attribute so that a link opens in a new window, it looks like the target attribute is removed when the data is inserted.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
For <a> tags, the target attribute not be removed when inserted using data-ajax-replace.
Version of WET-BOEW/GCWeb you are using
This problem started happening in v4.0.44
The text was updated successfully, but these errors were encountered: