Is the outsystems not a subset of 1.8.3 and slightly customized?

Furthermore, personally I am not keen on a newer version, because chances are it's more bloated.

It could be a subset, but the above vulnerability; is valid. And maybe there are even more. It is always the best to stay up-to-date because of security updates.

Funny enough we have an issue now with a security audit :(

So I need to like it now :D

Maybe the same Auditor?

Or just supply a more recent version as a possible choice in the espace configuration. So you can check and switch on your own time.

We've done implementations to bypass the default jquery version but you may get conflicts trying to load two versions.

Regarding the 3.3.1 being more bloated. Actually it's the other way around.

JS evolved to have querySelectorAll. Which has the same job as the $ selector function from jQuery.

jQuery 3 only assigns $ to this function and builds upon it. While jQuery 1 (and 2 I think) has it built from the ground up.

The overall production size is reduced by almost 10KB but the runtime performance is a lot higher because the core of jQuery (the selector function) runs directly from vanilla JS. Meaning the function that runs all the time is now faster.

Personally, I've noticed specially the speed improvement on those big cycles and big ".each()"; It used to feel like the browser was about to break and now it never happens.

From 1 to 2 it had a lot of improvements for mobile as well, specially on ontouch events which didn't always trigger.

Please double check browser support as jQuery dropped some support by using the native functions (https://jquery.com/browser-support/ IE9+ and only the webkit version of Opera seems to be what to look for)

As a side note, querySelectorAll was such a massive improvement that it has a lot of developers moving away from jQuery because they only really used it for the selector.

https://success.outsystems.com/Support/Enterprise_Customers/Troubleshooting/FALSE_POSITIVE_-_jquery_1.8.3_flagged_as_a_vulnerable_library

I tried to create a jsTree Wrapper as Forge but I gave up because jQuery 1.9.0 or later was mandatory.

https://www.jstree.com/

Leaving the version up of the 3rd party library is a big problem both as a business and as a motivation of an engineer.

From the above, I fully agree with the following.

> Please stay up-to-date with 3rd party libraries. 

# Of course I know how to use multiple versions concurrently.
# However, it is best that OutSystems upgrade the version.

Hello - I am with Humana (Fortune 50 company) dealing with sensitive healthcare and financial data.
We launched our first site - https://firstlook.humana.com and folks love it!

HOWEVER, our IT security teams have thrown a BIG RED FLAG over jQuery 1.8.3
We can NOT deploy anything other than simple no-login public sites UNTIL jQuery is upgraded.

jQuery only supports version 3 or greater - 1.8.3 is fully de-supported

1) When will OutSystems upgrade to a newer jQuery?

2) I read it's possible to manually upgrade jQuery - BUT - this is a breaking change so what can I do in the near term?

WE ARE STUCK!

Thanks

-Bruce Buttles

bbuttles@humana.com

Hi Bruce,

On our existing web runtime, we allow two jQuery versions (1.4.2 OS and 1.8.3). While these have been discontinued, we have continued to do major security fixes. One of the most common issues in 1.8.3 is vulnerability #11290 (https://bugs.jquery.com/ticket/11290) which relates to a potential Cross Site Scripting vulnerability in jQuery's selector operator ( $ ). 

As of OutSystems version 9.1.401.0 the fix was implemented and backported and the $ operator is no longer vulnerable to this attack.

Also, and as Tiago said, we're currently working on a bolder plan, where jQuery will not needed.

Regards,

Ricardo Alves

Hi

I support this request.

We also get risks raised on every pen test because of the jQuery version. OutSystems has documented that the vulnerabilities have been patched, but it's still an annoyance to have the risk raised every couple of months.

Also, Google Analytics reports that using old versions of jQuery can cause slower responses, so we are also getting demand for an upgrade from Marketing.

Thanks

Ross

Good new!

I've learned that OutSystems has a new version of the web UI coming out soon that solves this.

Hearing rumors it could be around January.

The new Reactive Web Apps implementation is better then asked for in this Idea! Great work!

But keep in mind: Please stay up-to-date with 3rd party libraries.

good idea!!! +1

Would be great if this upgraded soon as it could have other vulnerabilities which are not fixed.