Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jQuery or apply the fix? #1814

Closed
hrbrmstr opened this issue Apr 30, 2020 · 5 comments · Fixed by #2197
Closed

Update jQuery or apply the fix? #1814

hrbrmstr opened this issue Apr 30, 2020 · 5 comments · Fixed by #2197
Labels
next to consider for next release
Milestone
v2.10

Comments

@hrbrmstr
Copy link

GHSA-gxr4-xjj5-5px2

https://cve.circl.lu/cve/CVE-2020-11022

GHSA-gxr4-xjj5-5px2

image

https://twitter.com/hrbrmstr/status/1255796874877046784?s=20
@jdblischak jdblischak mentioned this issue Apr 30, 2020
Closed
@cpsievert
Copy link
Contributor

cpsievert commented Apr 30, 2020
edited
Loading

jQuery.htmlPrefilter was added in jQuery 2.2.0 and html_document() is still on 1.11.3, so this vulnerability isn't currently relevant to rmarkdown.

It's worth noting that rmarkdown will soon upgrade to jQuery 3.x as a part of #1706 and it will do so via jquerylib which has already been upgraded to 3.5.0 on Github and a CRAN update will soon follow.

The current shiny release is on 3.4.1, so we'll soon have a new release with jQuery 3.x bumped to 3.5 (by the way, you can also use jQuery 1 today with options(shiny.jquery.version = 1)). However, I'd like to point out that the implications of the vulnerability seems small...shiny goes out of its way to make sure it doesn't treat user input directly as unescaped HTML. It's much more common of a situation that the shiny developer hasn't properly escaped user input in their R code, which something we can't manage for you.

This could, of course, still be an issue today if you have some other widget bringing in a vulnerable jQuery version. We'll do our part to make sure packages that we maintain (e.g., crosstalk) are up-to-date, but we can't necessarily control what 3rd party packages are doing. That concern should largely go away though once #1688 is done (implying that shiny and all html_document()s will be on >= 3.5.0).

@cpsievert cpsievert mentioned this issue Apr 30, 2020
Closed
@cpsievert
Copy link
Contributor

(@yihui feel free to close this issue)

@maxheld83 maxheld83 mentioned this issue Apr 30, 2020
Closed
@yihui yihui mentioned this issue May 6, 2020
Open
@cderv cderv mentioned this issue Mar 31, 2021
Closed
@cderv cderv mentioned this issue Apr 19, 2021
Closed
@apreshill apreshill added the next to consider for next release label Apr 20, 2021
@apreshill
Copy link
Contributor

@cderv I added the next label here (thanks @michaelquinn32) so we make sure this ends up in the next rmarkdown release.

@cderv
Copy link
Collaborator

cderv commented Apr 26, 2021

Currently we need JQuery in rmarkdown in a few place specifically when using toc_float, or for tabsets, code folding and source embed features. This is also included for bootstrap when theme != NULL.

Side note: This is kind of a duplication because the two first requires the theme argument to be not NULL which will trigger the inclusion of bootstrap and JQuery.

A mentioned above, let's recall that when using theme to use bslib, then the JQuery version used will be the one imported from bslib which is already updated.
Example of YAML:

output:
  html_document:
    theme: 
      version: 4 # or 3

These can be used already without any change in rmarkdown

We'll make the update for when bslib is not used.

@cderv cderv added this to the v2.9 milestone May 25, 2021
@yihui yihui modified the milestones: v2.9, v2.10 Jun 21, 2021
yihui added a commit that referenced this issue Aug 2, 2021
@yihui
close #1814: upgrade jquery by using the R package jquerylib, which c…
4fb0033 
…urrently ships jquery 3.x by default
@yihui yihui mentioned this issue Aug 2, 2021
Merged
yihui added a commit that referenced this issue Aug 6, 2021
@yihui
close #1814: upgrade jquery by using the R package jquerylib, which c…
cb2e009 
…urrently ships jquery 3.x by default (#2197)
@github-actions
Copy link

github-actions bot commented Feb 8, 2022

This old thread has been automatically locked. If you think you have found something related to this, please open a new issue by following the issue guide (https://yihui.org/issue/), and link to this old issue if necessary.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
next to consider for next release
Projects
None yet
Milestone
v2.10
Development

Successfully merging a pull request may close this issue.

Upgrade jQuery by using the R package jquerylib rstudio/rmarkdown
5 participants
@yihui @hrbrmstr @cpsievert @cderv @apreshill