[BlueOnyx:26662] Re: jquery warning

[Michael Stauber]

Hi Taco,

> To be very honest, I personally think the XSS issue 
> this version has is not exploitable (easily) and I cannot think of any 
> way running this version would impact the security of the BlueOnyx UI.

Indeed. We don't use jQuery for critical or security related functions 
and the GUI as well as CCEd have CSRF, XSS filtering, ACLs, 
multi-layered input validation (in the GUI itself and in CCE), plus 
there is a strict content policy that prevents the loading of external 
content into the GUI. So I can't imagine a scenario where a jQuery 
vulnerability would affect us.

> I agree we should always aim to run on non-vulnerable versions, but as 
> sometimes upgrading to newer versions break the compatibility this would 
> not be an easy effort.
I'll take a look at this today. If I can't upgrade jQuery and retain 
compatibility with the offered migration plugins I'll at least replace 
jQuery with a patched version that's floating around and being 
maintained for those who can't do a straight up move to the latest version.

-- 
With best regards

Michael Stauber