18
 Followers
95
 Likes

Upgrade jQuery version

Frontend
On our radar

SilkUI uses jQuery 1.8.3 (released November 13, 2012)

This version of jQuery is no longer supported by the vendor, as it has reached its endof-life. 

Versions from 1.6.3 to (and including) 1.8.3 have known vulnerabilities associated with them.

This jQuery can by default interpret script content received via $.get(), despite it originating from a third-party location. This version may also execute script content when supplied via class selectors.

Please stay up-to-date with 3rd party libraries. The current version is 3.1.

Kind regards,

Matthias Preuter

Created on 20 Mar 2018
Comments (14)

Is the outsystems not a subset of 1.8.3 and slightly customized?

Furthermore, personally I am not keen on a newer version, because chances are it's more bloated.


It could be a subset, but the above vulnerability; is valid. And maybe there are even more. It is always the best to stay up-to-date because of security updates.

Funny enough we have an issue now with a security audit :(

So I need to like it now :D


Maybe the same Auditor?

Or just supply a more recent version as a possible choice in the espace configuration. So you can check and switch on your own time.

We've done implementations to bypass the default jquery version but you may get conflicts trying to load two versions.

Regarding the 3.3.1 being more bloated. Actually it's the other way around.


JS evolved to have querySelectorAll. Which has the same job as the $ selector function from jQuery.

jQuery 3 only assigns $ to this function and builds upon it. While jQuery 1 (and 2 I think) has it built from the ground up.

The overall production size is reduced by almost 10KB but the runtime performance is a lot higher because the core of jQuery (the selector function) runs directly from vanilla JS. Meaning the function that runs all the time is now faster.

Personally, I've noticed specially the speed improvement on those big cycles and big ".each()"; It used to feel like the browser was about to break and now it never happens.


From 1 to 2 it had a lot of improvements for mobile as well, specially on ontouch events which didn't always trigger.


Please double check browser support as jQuery dropped some support by using the native functions (https://jquery.com/browser-support/ IE9+ and only the webkit version of Opera seems to be what to look for)


As a side note, querySelectorAll was such a massive improvement that it has a lot of developers moving away from jQuery because they only really used it for the selector.

I tried to create a jsTree Wrapper as Forge but I gave up because jQuery 1.9.0 or later was mandatory.

https://www.jstree.com/

Leaving the version up of the 3rd party library is a big problem both as a business and as a motivation of an engineer.

From the above, I fully agree with the following.

> Please stay up-to-date with 3rd party libraries. 

# Of course I know how to use multiple versions concurrently.
# However, it is best that OutSystems upgrade the version.


Changed the status to
On our radar


Hi Mathias,

You are right, the version of jQuery shipped with the platform is an older release and updating it is a good idea. 

The team is currently working on a bolder plan so that in the future you don't need jQuery at all,  and that you can create applications that react very fast to user input only using low-code (you'll hear more about it soon). 

Changing jQuery for the existing apps is not a completely trivial change, and it might have impact, but I'll leave this issue as "On our radar" and we'll keep an eye on it, so we can address it in the future.

Cheers,

Tiago Simões


Hello - I am with Humana (Fortune 50 company) dealing with sensitive healthcare and financial data.
We launched our first site - https://firstlook.humana.com and folks love it!

HOWEVER, our IT security teams have thrown a BIG RED FLAG over jQuery 1.8.3
We can NOT deploy anything other than simple no-login public sites UNTIL jQuery is upgraded.

jQuery only supports version 3 or greater - 1.8.3 is fully de-supported


1) When will OutSystems upgrade to a newer jQuery?

2) I read it's possible to manually upgrade jQuery - BUT - this is a breaking change so what can I do in the near term?

WE ARE STUCK!

Thanks

-Bruce Buttles

bbuttles@humana.com

Hi Bruce,

On our existing web runtime, we allow two jQuery versions (1.4.2 OS and 1.8.3). While these have been discontinued, we have continued to do major security fixes. One of the most common issues in 1.8.3 is vulnerability #11290 (https://bugs.jquery.com/ticket/11290) which relates to a potential Cross Site Scripting vulnerability in jQuery's selector operator ( $ ). 

As of OutSystems version 9.1.401.0 the fix was implemented and backported and the $ operator is no longer vulnerable to this attack.

Also, and as Tiago said, we're currently working on a bolder plan, where jQuery will not needed.

Regards,

Ricardo Alves

Hi

I support this request.

We also get risks raised on every pen test because of the jQuery version. OutSystems has documented that the vulnerabilities have been patched, but it's still an annoyance to have the risk raised every couple of months.

Also, Google Analytics reports that using old versions of jQuery can cause slower responses, so we are also getting demand for an upgrade from Marketing.

Thanks

Ross

Good new!

I've learned that OutSystems has a new version of the web UI coming out soon that solves this.

Hearing rumors it could be around January.

views
1553
Followers
18