[wp-trac] [WordPress Trac] #37110: Update to jQuery 3.*
WordPress Trac
noreply at wordpress.org
Wed Jul 31 15:41:42 UTC 2019
#37110: Update to jQuery 3.*
-------------------------------------------------+-------------------------
Reporter: jorbin | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: Future
| Release
Component: External Libraries | Version:
Severity: critical | Resolution:
Keywords: early has-patch needs-testing | Focuses: javascript
needs-dev-note needs-screenshots needs- |
refresh |
-------------------------------------------------+-------------------------
Comment (by bigcloudmedia):
Replying to [comment:74 kevindaum]:
> Trustwave, who certifies my PCI status, has been failing me for a few
months now due to this old version of jquery:
>
> > jQuery Cross-Domain Asynchronous JavaScript and Extensible Markup
Language Request Cross-site Scripting Vulnerability
>
> https://www.evernote.com/l/AAE9aSM1l_1FTak5HMGPKnXFcC6kk4-Pl6I
I've been dealing with similar issues from ControlScan. Here's a bit that
fixes the XSS hole:
{{{#!php
<?php
function bcm_jquery_security_fix() {
$js_path = str_replace('index.php', 'js', __FILE__);
$js_url = str_replace( ABSPATH, get_bloginfo('url').'/',
$js_path);
wp_register_script(
'pci_security_fix',
$js_url.'/security_fix.js',
array('jquery')
);
wp_enqueue_script('bcm_enm_pci_security_fix');
}
add_action('wp_enqueue_scripts', 'bcm_jquery_security_fix');
}}}
{{{#!js
// security_fix.js content
// Prevent auto-execution of scripts when no explicit dataType was
provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
});
}}}
To finish appeasing the scanners I also had to use jQuery Updater
(https://wordpress.org/plugins/jquery-updater/) and write a supplementary
plugin that deregistered the jQuery **UI** components and re-registered
the latest version of it:
{{{#!php
<?php
function bcm_jquery_updater() {
if (!is_admin()) {
// Deregister UI jQuery
wp_deregister_script('jquery-ui-core');
wp_deregister_script('jquery-ui-widget');
wp_deregister_script('jquery-ui-mouse');
wp_deregister_script('jquery-ui-draggable');
wp_deregister_script('jquery-ui-slider');
wp_deregister_script('jquery-touch-punch');
wp_deregister_script('iris');
// Register
wp_enqueue_script('jquery-ui-core',
plugins_url('/js/jquery-ui-1.12.1.min.js', __FILE__), false, '1.12.1');
wp_enqueue_script('iris', get_bloginfo('url
').'/wp-admin/js/iris.min.js', 'jquery-ui-core');
}
}
add_action('wp_enqueue_scripts', 'bcm_jquery_updater');
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37110#comment:75>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list