Item14918: backport fix of CVE-2015-9251 and CVE-2019-11358

Address

• https://www.cvedetails.com/cve/CVE-2019-11358/ ... backporting https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2 to jquery-2.2.4
• https://www.cvedetails.com/cve/CVE-2015-9251/ ... backporting https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b to jquery-2.2.4

The actual promoted approach is to move to the latest jquery-3.x ... which causes all other sorts of incompatibilities with the rest of the jquery pack, i.e. livequery. So it seems appropriate to backport those two relatively small fixes for jquery-2 instead.

-- MichaelDaum - 02 Jun 2020

That would seem the best approach I would think

-- TimothyLegge - 09 Jun 2020

from the checkins:

• removed support for old Internet Explorers < 11
• deprecate LiveQuery module not compatible with jQuery-3 and not supported upstream anymore
• new Observer implementation replacing deprecated LiveQuery
• fixed rating formfield
• fixed html5 data in %BUTTON macro
• support svg icons in IconService now
• added latest jQuery-3.5.1 and matching jquery.migrate module
• removed any old jQuery versions other than the latest jQuery-2 and jQuery-3
• patched issue in jQuery-2
• improvements to Makefile system supporting lib, src and build subdirs
• using terser in favour of uglifyjs if available
• using csso in favor of cssmin if available
• patched multiple modules to be compatible with jquer-3: blockUI, button, chili, farbtastic, focus, form, foswiki, placeholder, pnotify, scrollto, serialscroll, stars, tabpane, textboxlist, tmpl-loader, wikiword
• fixed jquery.foswiki
• added foswiki.normalizeWebTopicName javascript api, same as the perl one
• updated hoverintent, jsrender, jsview, jQuery-ui, validate
• fixed jquery.loader
• backported jQuery.context to jquery-3 needd by new observer module

-- Main.MichaelDaum - 07 Nov 2020

Commenting is disabled while not logged in