[Koha] Update jquery
Owen Leonard
oleonard at myacpl.org
Fri Aug 2 01:22:14 NZST 2019
> I would like to hear more details about why you want to upgrade jQuery.
I'm copying this out-of-thread reply because I think it's important
for anyone who's watching this issue:
On Wed, Jul 31, 2019 at 7:56 PM Ing. Marcos Rene Alvarez Moreno
<mralvarezm at dgb.unam.mx> wrote:
> The reason for updating jquery is because the jQuery library in versions
> prior to 3.0.0 is vulnerable to Cross Site Scripting (XSS) attacks when
> a request is made type Ajax to other domains if the dataType option is
> not specified.
> It is specified in the jQuery Library vulnerable to XSS - CVE-2015-9251.
A direct link: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
I want to point out that one aspect of the original post in this
conversation is incorrect: 18.11.x uses jQuery 2.2.3 (not 1.7)
However, the issue is the same: The fix for the vulnerability was not
packported from jQuery 3 to earlier versions.
Note that there is a non-upgrading option for fixing the problem suggested here:
https://github.com/jquery/jquery/issues/2432#issuecomment-403761229
Updating Koha to use jQuery 3.0 is certainly the way forward but is
not an immediate fix.
Thanks for raising this issue,
-- Owen
--
Web Developer
Athens County Public Libraries
https://www.myacpl.org
More information about the Koha
mailing list