MrPhil Posted April 25, 2019 Share Posted April 25, 2019 jQuery has a (recently patched) vulnerability to "prototype pollution" attacks, which can be used to escalate authority of hackers and do nasty things. Article: https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/ Quote Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0. Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks. The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library. Link to comment Share on other sites More sharing options...
burt Posted April 25, 2019 Share Posted April 25, 2019 Note that CE has been on the 3.x jQuery for over 2.5 years. CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki; https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries Link to comment Share on other sites More sharing options...
puddlec Posted April 25, 2019 Share Posted April 25, 2019 6 minutes ago, burt said: Note that CE has been on the 3.x jQuery for over 2.5 years. CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki; https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries not in the admin, still on 2.x branch, ui is also out of date now at 1.12.1 jquery-2.2.3.min.js jquery-ui-1.10.4.min.js Phoenix support now at https://phoenixcart.org/forum/ App created for phoenixTinyMCE editor for admin Link to comment Share on other sites More sharing options...
puddlec Posted April 25, 2019 Share Posted April 25, 2019 just had a quick look to see what i could see in terms of jquery also seen references to 1.x branch document.write('<scr' + 'ipt src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></scr' + 'ipt>'); was found in admin/paypal.php admin/orders.php admin/includes/modules/dashboards/d_paypal_app.php catalog/includes/modules/payment/paypal_pro_dp.php catalog/includes/modules/payment/paypal_pro_hs.php jquery 2.x in admin/includes/template_top jquery 3.x in catalog/includes/template_bottom.php that covers all the references to jQuery that i have found (based on latest version of edge) Phoenix support now at https://phoenixcart.org/forum/ App created for phoenixTinyMCE editor for admin Link to comment Share on other sites More sharing options...
♥Stephan Gebbers Posted April 25, 2019 Share Posted April 25, 2019 Quote Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future. Fortunately, the patch has been backported to previous releases. https://github.com/DanielRuf/snyk-js-jquery-174006 Link to comment Share on other sites More sharing options...
burt Posted April 25, 2019 Share Posted April 25, 2019 3 hours ago, puddlec said: not in the admin, still on 2.x branch, ui is also out of date now at 1.12.1 jquery-2.2.3.min.js jquery-ui-1.10.4.min.js Admin side is not started. Waiting on more support from individuals and companies using osCommerce, in order to march forward. Link to comment Share on other sites More sharing options...
milerwan Posted July 27, 2019 Share Posted July 27, 2019 On 4/25/2019 at 3:17 PM, burt said: Note that CE has been on the 3.x jQuery for over 2.5 years. CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki; https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries Hi Burt, I have an old 2.3.4 version (always under jquery-2.2.3) and when I try to update by jquery-3.4.x, I have issues with :- data-toggle="dropdown" - data-toggle="tab" - modal cart module etc What are the changes to operate to be in line with the new version of jquery ? Is it necessary to update Bootstrap version too to make the new jquery version works or no consequence ? Thank you for your time. Osc v2.3.4 BS "custom" PHP 7.3 compatible (710 modified files => o_O') Link to comment Share on other sites More sharing options...
burt Posted July 30, 2019 Share Posted July 30, 2019 @milerwan I do not recall any issues like that, sorry. Maybe you can update to Phoenix? And get rid of all the sliders on your home page, I have a headache now Link to comment Share on other sites More sharing options...
Demitry Posted September 26, 2019 Share Posted September 26, 2019 I have BS Edge running on PHP 7.2 and decided to try updating the jQuery version from 3.1.1 to 3.4.1 on the catalog side. I cannot see any issues at this point. The checkout seems to work fine and nothing seems to be off. Is there anything in particular I should be looking for? Nothing seems to be breaking the site or causing problems. And, are there any other changes I need to make, other than adding the new jQuery 3.4.1 file to /ext/jquery/ folder and changing the call for that file in /includes/template_top.php? osCommerce: made for programmers, ...because store owners do not want to be programmers. https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce Link to comment Share on other sites More sharing options...
Demitry Posted October 4, 2019 Share Posted October 4, 2019 hi Phil, Quote The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library. What API changes are there? As I mentioned in the post above, I installed the latest jQuery v3.4.1 and everything is running smooth. Are there any other changes I need to make? osCommerce: made for programmers, ...because store owners do not want to be programmers. https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.