Upgrade jQuery past known vulnerabilities
RudolfCardinal opened this issue · comments
Thanks for Deform; lovely work!
An question/issue re the jQuery versuib and security:
- The current version of Deform (2.0.15) ships with
static/scripts/jquery-2.0.3.min.js
. - The advice is to load this from
<head>
tags of pages using Deform, as per https://docs.pylonsproject.org/projects/deform/en/2.0-branch/basics.html#serving-up-the-rendered-form. - However, jQuery 2.0.3 has known cross-site scripting vulnerabilities: https://snyk.io/vuln/npm:jquery and http://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html.
This was pointed out to us by a penetration testing company. They note that the potential exploit methods are complex, but I'm afraid I don't know whether this is in effect a false positive or whether it is a real concern. However, on the assumption that they are right:
Could Deform ship with a more recent jQuery version? I note this is clearly not as simple as dropping in the current version (3.6.0 does not work)! Many thanks for thinking about this.
Yes, Deform could (and should) use a more current and secure version of jQuery.
I would accept a PR that passes all functional tests. I'd be happy to assist you with the setup if you want to do the necessary work.
Putting JavaScripts in the <head>
was done because no one could figure out how to inject jQuery inside the closing </body>
and inject a widget's JavaScripts after it. We did some work to make this more flexible, and more work is needed to complete the task.
Additionally we now have two branches.
main
is where development of the upcoming Deform 3.0 release takes place. It will use Bootstrap 5 and drop support for EOLed Python versions. We will also consider either replacing or dropping incompatible widgets that depend on a vulnerable version of jQuery. Demo: https://deformdemo3.pylonsproject.org/2.0-branch
receives backported changes frommain
. This branch will get minimal changes to support backward compatibility. Demo: https://deformdemo.pylonsproject.org/