JDCampbell301
commented
4 years ago We have passed the security scan using jQuery 3.5.0. The root cause is a difference in the way nested self-closing html elements are interpreted. This jQuery change was necessary to fix the security vulnerability. jQeury 3.5.0 is the first (currently only) version without the vulnerability.
We modified GeoNetwork html to change eliminate the self-closing html. We tested by using the GeoNetwork UI and did not discover any failures. We will make a pull request with our changes.
Warning: We cannot be certain that every piece of nested self-closing html has been corrected. For example, we have not enabled INSPIRE, so that portion has not been tested.
jodygarnett
Describe the bug https://snyk.io/vuln/SNYK-JS-JQUERY-565129 or search for jQuery vulnerability
To Reproduce Accunetix security scan report indicates jQuery 2.4.2 has moderate risk vulnerability
Expected behavior It appears that the new 3.5.0 has fixed a more recent cross site scripting vulnerability, so it appears that we may need to jump all the way to the current version.
Additional context We are also working on resolving this since it is on our critical path. I have posted this issue since it probably exceeds the limits of our understand of the UI code.
https://github.com/geonetwork/core-geonetwork/pull/2520 was the update to jQuery 2.4,2 @PascalLike said :"The upgrade to the latest version 3.3.1 is not safe (and does not work)" Is that a backwards compatibility issue with jQuery 3 in general or specific to 3.3.1?
I will also repeat his request to "let me know is there is any extra precaution to take in these kind of updates."