Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scala-compiler jar contains jQuery 1.8.2 that is vulnerable to number of XSS attacks: CVE-2012-6708, CVE-2012-6708, CVE-2019-11358 #11567

Closed
plokhotnyuk opened this issue Jun 14, 2019 · 4 comments · Fixed by scala/scala#8179
Closed

scala-compiler jar contains jQuery 1.8.2 that is vulnerable to number of XSS attacks: CVE-2012-6708, CVE-2012-6708, CVE-2019-11358 #11567

plokhotnyuk opened this issue Jun 14, 2019 · 4 comments · Fixed by scala/scala#8179
Assignees
@exoego
Labels
has PR scaladoc tool security
Milestone
2.13.1

Comments

@plokhotnyuk
Copy link

plokhotnyuk commented Jun 14, 2019
edited

It was detected by the amazing sbt-dependency-check plugin when applied for jsoniter-scala repo.

Steps to get and open reports for different Scala versions:

git clone https://github.com/plokhotnyuk/jsoniter-scala
cd jsoniter-scala
sbt clean +dependencyCheck
xdg-open jsoniter-scala-macros/target/scala-2.11/dependency-check-report.html
xdg-open jsoniter-scala-macros/target/scala-2.12/dependency-check-report.html
xdg-open jsoniter-scala-macros/target/scala-2.13/dependency-check-report.html
@SethTisue SethTisue modified the milestones: 2.13.1, 2.11.13 Jun 14, 2019
@plokhotnyuk plokhotnyuk changed the title scala-compiler jar contains jQuery that is vulnerable to XSS attacks before 1.9.0 scala-compiler jar contains jQuery 1.8.2 that is vulnerable to number of XSS attacks: CVE-2012-6708, CVE-2012-6708, CVE-2019-11358 Jun 14, 2019
@exoego
Copy link

exoego commented Jun 26, 2019

I want to provide help to this issue.
Let me have a couple of days.

@exoego
Copy link

exoego commented Jun 26, 2019

Question to @scala/docs
What is a web browser requirement for ScalaDoc, especially Internet Explorer ?

Supported versions

  • jQuery 1.x: Supports IE6+
  • jQuery 2.x: Supports IE8+
  • jQuery 3.x: Supports IE9+

According to some browser usage statistics (I digged https://caniuse.com), global IE6-9 usage is very low (less than 0.5%).
Since Microsoft already terminated IE8 support, I think we may switch to jQuery 2.x or 3.x, which supposed to be faster and more stable.

@dwijnand
Copy link
Member

Yeah, jQuery 3.x sounds reasonable. I'll let you know if there's pushback on that idea.

This was referenced Jun 26, 2019
Closed
Merged
@exoego
Copy link

exoego commented Jun 27, 2019

Opened a PR scala/scala#8179

@hrhino hrhino added has PR and removed help wanted labels Jun 27, 2019
@dwijnand dwijnand modified the milestones: 2.11.13, 2.13.1 Jun 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@exoego exoego

Labels
has PR scaladoc tool security
Projects
None yet
Milestone
2.13.1
Development

Successfully merging a pull request may close this issue.

Fix vulnerability in jQuery used in ScalaDoc exoego/scala
5 participants
@exoego @SethTisue @dwijnand @plokhotnyuk @hrhino