Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update jQuery to a supported version #6720

Open
kittithorntha opened this issue Oct 2, 2017 · 10 comments
Open

Update jQuery to a supported version #6720

kittithorntha opened this issue Oct 2, 2017 · 10 comments
Labels
1. to develop Accepted and waiting to be taken care of javascript ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) technical debt

Comments

@kittithorntha
Copy link

I have found that Nextcloud include jquery version 2.1.4 that have issue in this link jquery/jquery#2432

https://github.com/nextcloud/server/blob/master/core/vendor/core.js
at line 1
/*! jQuery v2.1.4 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */

Solution that is, Nextcloud should upgrade to the lasted version that was described in issue 2432

@nickvergessen
Copy link
Member

The function which is dangerous is globalEval, and we fixed this method manually:

server/core/js/js.js

Lines 1285 to 1292 in 086ce70

/**
* Disable execution of eval in jQuery. We do require an allowed eval CSP
* configuration at the moment for handlebars et al. But for jQuery there is
* not much of a reason to execute JavaScript directly via eval.
*
* This thus mitigates some unexpected XSS vectors.
*/
jQuery.globalEval = function(){};

We should still think about updating it at some point since 2.1 seems to not get any updates anymore.

@nickvergessen nickvergessen changed the title Vulnerable Javascript library Update jQuery to a supported version Oct 5, 2017
@nickvergessen
Copy link
Member

cc @nextcloud/javascript

@nickvergessen nickvergessen added the 1. to develop Accepted and waiting to be taken care of label Oct 5, 2017
@MorrisJobke
Copy link
Member

This requires #4628 to be fixed first.

@juliusknorr
Copy link
Member

juliusknorr commented Feb 19, 2018

When greping through the core code, thw following in 3.x deprecated methods are also used quite often, so it makes sense to update those when bumping the jquery version:

  • .bind()
  • .delegate()

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Feb 21, 2019
@skjnldsv skjnldsv added this to the Nextcloud 18 milestone Nov 16, 2019
@rullzer rullzer removed this from the Nextcloud 18 milestone Dec 9, 2019
@lindhe

This comment was marked as resolved.

@svrnhdl

This comment was marked as off-topic.

@Baccanno

This comment was marked as resolved.

@ogmkp

This comment was marked as resolved.

@susnux susnux added the ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) label Aug 15, 2024
@joshtrichards
Copy link
Member

We're on jQuery v3.7.x today.

@susnux I was going to close this, but I see you labeled this for refactor recently. Am I overlooking something?

@susnux
Copy link
Contributor

susnux commented Nov 20, 2024

Just for proper tags.
I do not plan to implement this, rather I would like to find time to drop jQuery completely (only external-files and user-ldap are missing to migrate to vue)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1. to develop Accepted and waiting to be taken care of javascript ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) technical debt
Projects
None yet
Development

No branches or pull requests