The included jquery version is vulnerable #3640
Comments
|
That's right, @dvzrv. Indeed, as of current develop (b3d8f85), the vendored jquery version is 1.9.1 from 2013-02-04. As a stopgap measure, we can try to upgrade to the latest jQuery 1.x version, 1.12.4 from 2016-05-20. Unfortunately, simply replacing I'll see if there is a proper fix. |
|
I think I found the solution, taking inspiration from this Parcel issue: $ hg diff src/static/js/rjquery.js
diff --git a/src/static/js/rjquery.js b/src/static/js/rjquery.js
--- a/src/static/js/rjquery.js
+++ b/src/static/js/rjquery.js
@@ -1,5 +1,5 @@
// Proviedes a require'able version of jQuery without leaking $ and jQuery;
-require('./jquery');
+window.$ = require('./jquery');
var jq = window.$.noConflict(true);
exports.jQuery = exports.$ = jq; |
|
Great job, @muxator! |
|
@muxator thanks for looking into this so fast! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The vendored version of jquery (1.9.1) is vulnerable to many security issues, which are tracked in CVEs:
Please note, that maybe not all of the above are actually relevant for the included jquery version. I compiled the list from what seemed relevant, going through a list of CVEs, mentioning jquery: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jquery
However, this shows, that updating the vendored version would be a good idea! :)
The text was updated successfully, but these errors were encountered: