Upgrade jQuery past known vulnerabilities

[RudolfCardinal]

Thanks for Deform; lovely work!
An question/issue re the jQuery versuib and security:

• The current version of Deform (2.0.15) ships with static/scripts/jquery-2.0.3.min.js.
• The advice is to load this from <head> tags of pages using Deform, as per https://docs.pylonsproject.org/projects/deform/en/2.0-branch/basics.html#serving-up-the-rendered-form.
• However, jQuery 2.0.3 has known cross-site scripting vulnerabilities: https://snyk.io/vuln/npm:jquery and http://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html.

This was pointed out to us by a penetration testing company. They note that the potential exploit methods are complex, but I'm afraid I don't know whether this is in effect a false positive or whether it is a real concern. However, on the assumption that they are right:

Could Deform ship with a more recent jQuery version? I note this is clearly not as simple as dropping in the current version (3.6.0 does not work)! Many thanks for thinking about this.

[stevepiercy]

Yes, Deform could (and should) use a more current and secure version of jQuery.

I would accept a PR that passes all functional tests. I'd be happy to assist you with the setup if you want to do the necessary work.

Putting JavaScripts in the <head> was done because no one could figure out how to inject jQuery inside the closing </body> and inject a widget's JavaScripts after it. We did some work to make this more flexible, and more work is needed to complete the task.

Additionally we now have two branches.

• main is where development of the upcoming Deform 3.0 release takes place. It will use Bootstrap 5 and drop support for EOLed Python versions. We will also consider either replacing or dropping incompatible widgets that depend on a vulnerable version of jQuery. Demo: https://deformdemo3.pylonsproject.org/
• 2.0-branch receives backported changes from main. This branch will get minimal changes to support backward compatibility. Demo: https://deformdemo.pylonsproject.org/

[martinburchell]

Is this being considered for 3.0? @RudolfCardinal and I may have the capacity to help here, though we would need a better understanding of the scale of the changes required.