Open weblendweb opened 4 years ago
v1.9.1 (~2013 release) was the last to support IE6/7/8. It is not supported on Cordova (https://blog.jquery.com/2013/04/18/jquery-2-0-released/). v2.0 was released in 2013. v3.0 was released in 2016
there are some breaking changes between each of these major. Definitely for the moodleapp 1.9 is no good.
Does anyone know of a reason not to upgrade to latest jquery? It would seem the steps are to first frun the v1 migration tool (to get from v1.9 to v1.12) then the v2 migration tool https://github.com/jquery/jquery-migrate/#README
H5P was originally created with support for IE8 which has since been dropped. However, some of the content types are still dependant on jQuery 1.9. I believe an upgrade would require a fair amount of time with refactoring and testing. So, until now the 1.9 in H5P has been manually patched for any known issues.
any comment on what manually patched
means?
Doing a diff against the upstream from https://code.jquery.com/jquery/, it appears the one in the h5p git repo only has 1 difference, the following is appended:
// Snap this specific version of jQuery into H5P. jQuery.noConflict will
// revert the globals to what they were before this file was loaded.
var H5P = window.H5P = window.H5P || {};
/**
* jQuery v1.9.1
*
* @member
*/
H5P.jQuery = jQuery.noConflict(true);
H5P.jQuery.ajaxPrefilter(function (s) {
if (s.crossDomain) {
s.contents.script = false;
}
});
the concern is since there are known sec vulnerabilities against that version (and probably many unknown since people stopped reporting them about 5 years ago).
Hi,
from MoodleHQ we are working on fix this issue (https://tracker.moodle.org/browse/MDL-68704) and once this issue will be fixed we would like to do a pull-request in order to H5P could integrate the solution. It is important to notice that there are two vulnerabilities:
Cheers.
I see this old jquery library is updated in the master branch but not in the most current release from Dec 2022. Do you know when this will be added to a release?
This is also becoming an issue, as we have 3rd party scans that are revealing this vulnerability. Any guess as to the effort of bringing jQuery up to date here?
The code is already updated, but hasn't yet been released.
Security alert
Your app contains one or more libraries with known security issues. Please see this Google Help Center article for details.
Vulnerable JavaScript libraries:
Name Version Known issues Identified files jquery 1.9.1 SNYK-npm:jquery:20110606 SNYK-npm:jquery:20150627 SNYK-JS-JQUERY-174006 assets/www/h5p/js/jquery.js Affects APK version 30801.
Error in Moodle Mobile App 3.8.1