? Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
18 Mar 2022

Summary of Changes

JQuery UI versions prior to 1.13.0 have a potential XSS attack vector that can be used to execute code in the browser context. Joomla core itself does not have such an attack vector, however we can't rule out that 3rd party extensions are vulnerable, why we backport the patch to the JQuery UI version used in 3.x.

4.x is not affected as it does not ship JQuery UI.

Testing Instructions

  • Open the article manager in the backend, click on the "sort by ordering" column head, wait for the page to reload.
  • Open developer tools and verify that no JS-related error message is shown in the console.

Actual result BEFORE applying this Pull Request

No error, patch not being backported.

Expected result AFTER applying this Pull Request

No error, patch backported.

Documentation Changes Required

Doc block in both files has been updated to reflect the change.

avatar SniperSister SniperSister - open - 18 Mar 2022
avatar SniperSister SniperSister - change - 18 Mar 2022
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 18 Mar 2022
Category JavaScript
avatar zero-24 zero-24 - change - 18 Mar 2022
Labels Added: ?
avatar zero-24
zero-24 - comment - 18 Mar 2022

As its just a comment change that is not included into the minified version we done need a change to the min file.

avatar zero-24
zero-24 - comment - 18 Mar 2022

Merging here. Thanks David!

avatar zero-24 zero-24 - change - 18 Mar 2022
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2022-03-18 10:49:06
Closed_By zero-24
avatar zero-24 zero-24 - close - 18 Mar 2022
avatar zero-24 zero-24 - merge - 18 Mar 2022

Add a Comment

Login with GitHub to post a comment