Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71172

Update the version of Jquery used in Jira

XMLWordPrintable

    • 170
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      Currently, Jira uses jQuery version 2.2.4.

      Additional notes

      Jira relies on an Atlassian patched JQuery which is available in this Bitbucket repository.

      Jira 8.20.1 is shipped with JQuery 2.2.4.10 – see the changelog for further details.

      Related CVE: CVE-2015-9251

      jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

      Suggested Solution

      Upgrade jQuery to one of the newer versions (3.5+)

      • More info in the release notes
        • Security Fix

          The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.

          The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged.

          If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.

          However, to sanitize user input properly, we also recommend using dompurify with the SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.

              Unassigned Unassigned
              lbugs Lucas Bugs
              Votes:
              186 Vote for this issue
              Watchers:
              200 Start watching this issue

                Created:
                Updated: