Joomla! Issue Tracker | Joomla! CMS #20660

? ?

Fixed in Code Base
18 Jun 2018
Medium
Build: 3.9-dev
# 20660
Diff
SniperSister:39-jquerypatch

Pending

Pending continuous-integration/drone/pr this build is pending Details

User tests: Successful: Unsuccessful:

SniperSister
4 Jun 2018

Pull Request for Issue #19464 .

Summary of Changes

As documented in the jQuery tracker (jquery/jquery#2432), jQuery 1.x has a potential security flaw connected to AJAX requests, the results returned are executed (!) as JS code by default.

As we can't upgrade to a newer jQuery version in 3.x for BC reasons, I ported the patch developed by the guys at TYPO3:
TYPO3/TYPO3.CMS@43b1d7a

Testing Instructions

Apply patch, browse pages with AJAX requests (i.e. the backend dashboard or the indexer of com_finder).

Expected result

Features still work

Documentation Changes Required

If 3rd party developers rely on the current, dangerous behavior then this change will break their code! So this needs to be communicated upfront!

a49594a 4 Jun 2018

Fix Jquery XSS issue

SniperSister - open - 4 Jun 2018

SniperSister - change - 4 Jun 2018

Status

New

⇒

Pending

joomla-cms-bot - change - 4 Jun 2018

Category

⇒

JavaScript

66be8bf 4 Jun 2018

Updated comment

SniperSister - change - 4 Jun 2018

Labels

Added: ?

SniperSister - comment - 4 Jun 2018

@brianteeman done!

brianteeman - comment - 4 Jun 2018

I have tested this item ✅ successfully on 66be8bf

as far as i can tell no issues observed

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20660.}

brianteeman - test_item - 4 Jun 2018 - Tested successfully

dgrammatiko - comment - 4 Jun 2018

I hate to see us editing external scripts.
Honestly I can't wait to watch jQuery joining the mootools in the tech graveyard...

ggppdk - comment - 4 Jun 2018

Seems to work only with DEBUG on, that loads media/jui/js/jquery.js

with DEBUG off , that loads media/jui/js/jquery.min.js
i get
SyntaxError: expected expression, got '}'[Μάθετε περισσότερα] jquery.min.js:2:96463

SniperSister - comment - 4 Jun 2018

@csthomas neither of these remarks adds any value to the PR, could you please open new issues for that?

2dc7c10 4 Jun 2018

fixed broken compessed js

SniperSister - comment - 4 Jun 2018

@ggppdk good catch, fixed!

ReLater - test_item - 5 Jun 2018 - Tested successfully

ReLater - comment - 5 Jun 2018

I have tested this item ✅ successfully on 2dc7c10

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20660.}

franz-wohlkoenig - comment - 6 Jun 2018

@brianteeman can you please retest? [first i wrote: "can you please rest ;-)]

ChristineWk - test_item - 16 Jun 2018 - Tested successfully

ChristineWk - comment - 16 Jun 2018

I have tested this item ✅ successfully on 2dc7c10

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20660.}

Quy - change - 16 Jun 2018

Status

Pending

⇒

Ready to Commit

Quy - comment - 16 Jun 2018

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20660.}

mbabker - close - 18 Jun 2018

mbabker - merge - 18 Jun 2018

mbabker - change - 18 Jun 2018

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2018-06-18 02:51:32
Closed_By		⇒	mbabker
Labels	Added: ?

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#20660] - Fix jQuery XSS Issue

Summary of Changes

Testing Instructions

Expected result

Documentation Changes Required

Add a Comment