update embedded jQuery & jquery-ui to one that addresses known vulnerabilities

[foreveremain]

We've had some reports from JalviewJS users about detectable vulnerabilities in the SwingJS runtime - see e.g. jalview/jalview-js#12

The core problem is jQuery v1.11.0. Whilst its possible we could patch the vulnerability (or it perhaps isn't even serious for SwingJS deployments), scanners will still see the version number and most likely complain.

I've had a go at porting the patches in swingjs2.js to the latest release of jQuery, this seemed to work OK - but I've now got issues with JQueryUI. Would be great to get some guidance @BobHanson !

[BobHanson]

Probably time to upgrade anyway. What are they finding?

…

On Fri, Jan 24, 2025, 11:58 AM Jim Procter ***@***.***> wrote: We've had some reports from JalviewJS users about detectable vulnerabilities in the SwingJS runtime - see e.g. jalview/jalview-js#12 <jalview/jalview-js#12> The core problem is jQuery v1.11.0. Whilst its possible we could patch the vulnerability (or it perhaps isn't even serious for SwingJS deployments), scanners will still see the version number and most likely complain. I've had a go at porting the patches in swingjs2.js to the latest release of jQuery, this seemed to work OK - but I've now got issues with JQueryUI. Would be great to get some guidance @BobHanson <https://github.com/BobHanson> ! — Reply to this email directly, view it on GitHub <#279>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEHNCW2RWES76HHOT4K637T2MJ5NRAVCNFSM6AAAAABV2GHGAKVHI2DSMVQWIX3LMV43ASLTON2WKOZSHAYTAMBVGE4TGOI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[foreveremain]

Mostly they're just detecting that jquery 1.11 is luring inside swingjs/swingjs2.js - this is picked up by retire.js. I can see that Jmol's demo pages don't get flagged - since Jmol-SwingJS bundles jQuery v3.7.4. I guess the simplest thing would be to rebuild against the unified SwingJS/Jmol-SwingJS runtime ?

retire.js report:

1.11.0	Found in https://builds.jalview.org/artifact/JB-GJB/shared/build-472/JalviewJS-site/swingjs/swingjs2.js _____Vulnerability info:medium2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p981234mediumCVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98123mediumCVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq123mediumCVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px21mediumCVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j61low73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update	medium	2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98	1234	medium	CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98	123	medium	CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq	123	medium	CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2	1	medium	CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6	1	low	73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update
medium	2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98	1234
medium	CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98	123
medium	CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq	123
medium	CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2	1
medium	CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6	1
low	73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update

[BobHanson]

It's just copying Jmol-SwingJS.zip <https://github.com/BobHanson/Jmol-SwingJS/blob/master/dist/Jmol-SwingJS.zip> into your appropriate (?) resource/ directory and then running a build again. I can't remember exactly which directory that is for you. Also there was something about Java 11. But that may have only been for the compiling of the Jalview code itself, not this library.

…

On Mon, Jan 27, 2025 at 9:13 AM Jim Procter ***@***.***> wrote: Mostly they're just detecting that jquery 1.11 is luring inside swingjs/swingjs2.js - this is picked up by retire.js. I can see that Jmol's demo pages don't get flagged - since Jmol-SwingJS bundles jQuery v3.7.4. I guess the simplest thing would be to rebuild against the unified SwingJS/Jmol-SwingJS runtime ? retire.js report: 1.11.0 Found in https://builds.jalview.org/artifact/JB-GJB/shared/build-472/JalviewJS-site/swingjs/swingjs2.js _____Vulnerability info:medium2432 3rd party CORS request may execute CVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 1234mediumCVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98>123mediumCVE-2019-11358 <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 123mediumCVE-2020-11022 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2> 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2>1mediumCVE-2020-11023 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6> CVE-2020-23064 <https://github.com/advisories/GHSA-257q-pv89-v3xv> 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6>1low73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update medium 2432 3rd party CORS request may execute CVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 1234 medium CVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 123 medium CVE-2019-11358 <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 123 medium CVE-2020-11022 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2> 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2> 1 medium CVE-2020-11023 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6> CVE-2020-23064 <https://github.com/advisories/GHSA-257q-pv89-v3xv> 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6> 1 low 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update medium 2432 3rd party CORS request may execute CVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 1234 medium CVE-2015-9251 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 <https://github.com/advisories/GHSA-rmxg-73gg-4p98> 123 medium CVE-2019-11358 <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq <https://github.com/advisories/GHSA-6c3j-c64m-qhgq> 123 medium CVE-2020-11022 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2> 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 <https://github.com/advisories/GHSA-gxr4-xjj5-5px2> 1 medium CVE-2020-11023 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6> CVE-2020-23064 <https://github.com/advisories/GHSA-257q-pv89-v3xv> 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 <https://github.com/advisories/GHSA-jpcq-cgw6-v4j6> 1 low 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update — Reply to this email directly, view it on GitHub <#279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEHNCW3GC2GYFWT4GWDUQL32MZEI5AVCNFSM6AAAAABV2GHGAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJWGAZDQNZQGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Robert M. Hanson Professor of Chemistry, Emeritus St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get.

-- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 *We stand on the homelands of the Wahpekute Band of the Dakota Nation. We honor with gratitude the people who have stewarded the land throughout the generations and their ongoing contributions to this region. We acknowledge the ongoing injustices that we have committed against the Dakota Nation, and we wish to interrupt this legacy, beginning with acts of healing and honest storytelling about this place.*