upgrade to jquery 3.5.1 [Deleted]

[briansol]

removed.

 

[ENF]

Just going to add this link here:

XF 2.1 - XenForo 2.1.8 and above uses jQuery 3.4.1 (deprecation warning)

We had already upgraded XF 2.2 to use jQuery 3.4.x but we have made the decision to bring that change forward to account for a potential XSS in jQuery 3.3.1, which you can read about here: https://xenforo.com/community/threads/jquery-3-3-1-cross-site-scripting-vulnerability.177281/ To be clear...

xenforo.com

Yes, 2.2 uses 3.5.1.

We have currently opted not to include it in 2.1 as the fixes for the issues also introduce some very subtle backwards compatability issues (we know of 1 specific issue in XF though others may come out over time). The issues also require receiving a particular set of HTML in a certain method and we are not aware of any cases within XF that are exploitable.

Just to be aware of the backwards compatability issue with just dropping in a new version of jquery.

 

[briansol]

thanks for the comment. As noted, my testing showed no issues with basic board functions. use at your own risk.
It would be nice if there is a known 'subtle' issue, that it could be brought to light. perhaps it's not even a feature i use, or some odd-ball browser i don't care about, etc.

 

[Chris D]

Or perhaps just trust our judgement and hold off until we officially support it?

While there are known issues with the version of jQuery we include with XF 2.1 there is nothing in the default software that should be able to trigger said issues. If there was, we’d have already updated - or patched - said vulnerability.

I’d therefore strongly suggest people wait for XF 2.2 before changing their version of jQuery.

 

[briansol]

This resource has been removed and is no longer available.

 

[Chris D]

Wasn’t intending to come off as condescending by the way.

I just thought it was important to clear up any implication that there is an actively exploitable security issue in the software that we aren’t patching with the urgency it requires.