Page MenuHomePhabricator

Upgrade jQuery UI from 1.9 to 1.11
Open, LowestPublic

Description

jQuery 1.9 uses deprecated jQuery functions such as andSelf() (see T71350). We should upgrade it to 1.11, the current version.

Details

Reference
bz69386

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:37 AM
bzimport set Reference to bz69386.
bzimport added a subscriber: Unknown Object (MLST).
kaldari created this task.Aug 11 2014, 7:18 AM

That should say "jQuery UI 1.9...". Sorry.

Lowering priority. jQuery UI 1.9 is considered an LTS, and upgrading to 1.10 or 1.11 will be a major and breaking change since until recently we were on jQuery UI 1.8, and 1.9 introduced a brand new API (keeping support for the UI 1.8 API, but 1.10 drops support for this). There's no reason for us to upgrade right now, and certainly before we've finished the previous migration cycle of jQuery core upgrade and MediaWiki JS deprecations.

(In reply to Ryan Kaldari from comment #0)

jQuery UI 1.9 uses deprecated jQuery functions such as andSelf() (see bug
69350).

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

Please reconsider the priority of this.

JQuery UI 1.9 has not been updated since 2012. Where do you see it marked as "LTS"? It is not being maintained.

JQuery UI 1.9 also has security vulnerabilities that are only fixed in newer versions. Example: CVE-2010-5312

Please reconsider the priority of this.
JQuery UI 1.9 has not been updated since 2012. Where do you see it marked as "LTS"? It is not being maintained.
JQuery UI 1.9 also has security vulnerabilities that are only fixed in newer versions. Example: CVE-2010-5312

If anything, this task is going to be Declined and instead we'll go ahead with "Remove jQuery UI". But this is troubling.

Krinkle raised the priority of this task from Low to Medium.Dec 8 2014, 12:01 AM
Krinkle updated the task description. (Show Details)
Krinkle added a project: Security.
Krinkle set Security to None.
Krinkle changed the visibility from "Public (No Login Required)" to "Security (Project)".
Krinkle changed the edit policy from "All Users" to "Security (Project)".
Krinkle removed a subscriber: Unknown Object (MLST).

The behaviour change in jQuery UI Dialog in v1.10 (the "title" constructor option now being "text" instead of "html") is hardly a security issue. It having been given a CVE id (CVE 2010-5312) seems a bit of an exaggeration.

It says in the jQuey UI 1.9 API Documentation that dialog/option-title takes any valid HTML string.
http://api.jqueryui.com/1.9/dialog/#option-title

It's only subject to html injection if a consumer (e.g. developer) passes it user input. Which as far I can see is not the case in our usage. And if we would, we'd naturally escape it first (for it is interpreted as html).

Reedy raised the priority of this task from Medium to Needs Triage.Nov 7 2016, 8:53 PM
Reedy triaged this task as Medium priority.
Reedy moved this task from Backlog / Other to Other WMF team on the Security board.

@Krinkle: Is there a sufficient reason that this task is access restricted so people cannot find it and file duplicates like https://phabricator.wikimedia.org/T155503 ?

Jdforrester-WMF lowered the priority of this task from Medium to Lowest.Jan 19 2017, 10:54 PM
Jdforrester-WMF added subscribers: Addshore, thiemowmde.

Per Timo's and my comments above.

Jdforrester-WMF changed the visibility from "Security (Project)" to "Custom Policy".Jan 19 2017, 11:23 PM

Adjusted security policy so that WMDE/etc. subscribers can see it.

Jdforrester-WMF changed the edit policy from "Security (Project)" to "Custom Policy".Jan 19 2017, 11:25 PM

Adjusted security policy so that WMDE/etc. subscribers can see it.

Many thanks!

This task really should not be secret. @Krinkle Do you object to me making it public again? Does anyone else object?

I had yet another person on IRC asking about this task that they cannot access. Can someone please check if this can be made public? See T71386#824112.

Krinkle changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 30 2019, 12:08 AM
Krinkle changed the edit policy from "Custom Policy" to "All Users".

The version of jQuery UI that we use is public in MediaWiki's Git repository, and also visible via the browser console at $.ui.version. This is not a secret.