Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required jQuery UI Gem with XSS Vulnerability #3003

Closed
woidda opened this issue Mar 20, 2018 · 1 comment
Closed

Required jQuery UI Gem with XSS Vulnerability #3003

woidda opened this issue Mar 20, 2018 · 1 comment

Comments

@woidda
Copy link

woidda commented Mar 20, 2018

Currently, rails_admin is locked to jquery-ui-rails .
see bundle output when trying to update jquery-ui-rails

rails_admin (~> 1.3) was resolved to 1.3.0, which depends on
      jquery-ui-rails (~> 5.0)

Unfortunately, jquery-ui-rails version 5.0.5. (published in May 12, 2015) includes jQuery UI with version 1.11.4 that has a XSS Vunerability.

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Although, this might be not that serious of an attack vector it is still one and also Google Lighthouse Plugin recognizes the vulnerability. This might lead to a worse ranking in Google search results.

Using the rails admin gem hinders a rails app to update jquery-ui-rails when used in other places.
mshibuya added a commit that referenced this issue May 3, 2018
@mshibuya
Support jquery-ui-rails 6. Fixes #3003
252c72a
@woidda
Copy link
Author

woidda commented Jul 16, 2018

are there any plan to make a new release? This fix is, well, not that fresh anymore...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woidda