CDR Tickets

Issue Number 5368
Summary Don't disclose jQuery versions
Created 2025-01-22 12:09:09
Issue Type Improvement
Submitted By Kline, Bob (NIH/NCI) [C]
Assigned To Kline, Bob (NIH/NCI) [C]
Status Resolved
Resolved 2025-02-06 10:19:38
Resolution Fixed
Path /home/bkline/backups/jira/ocecdr/issue.488432
Description

Addresses low-priority vulnerability reported by January 2025 appscan. Install a more recent version of jQuery, using filenames which contain no version identification. Affects:

  • base jQuery

  • jQuery UI Autocomplete

  • jQuery UI Dialog

  • jQuery UI Tooltip

Comment entered 2025-02-03 13:48:53 by Kline, Bob (NIH/NCI) [C]

I'm address this by removing our dependency on jQuery altogether, using plain vanilla JavaScript instead. In Publish Preview for summary documents (both CIS and DIS), we weren't using jQuery anyway. As far as I can tell, removing links to jQuery, jQuery UI, and jPlayer have no undesirable effects on publish preview for glossary terms. The WCMS team has given us a link which we can use if problems arise. We'll add it to SCRIPT below if any incorrect behavior is reported. Some testing will be required, but I have all the automated tests passing again.

Comment entered 2025-02-03 13:53:29 by Kline, Bob (NIH/NCI) [C]

One thing you'll notice on DEV, , as a result of the purge of jQuery the fancy tooltips showing the documentation of the options and fields for creating a publishing job now appear when you hover over a question-mark icon instead of the field. The USWDS framework has tooltip formatting, but there's a bug which breaks radio buttons, so I had to add the icons and attached the tooltips to them. We've done it that way before. You're probably pretty happy with this change, since (a) you don't need the tooltips at all, because you use the Publishing system so frequently; (b) now they only appear when you hover over the icon; and (c) the jQuery implementation obscured more than the USWDS tooltips do when they appear (the latter are intelligent enough to figure out which offset direction obscures the field the least depending on things like the browser window size and the proximity of the tooltip to the edge of that window). Also, please take a look on DEV at the Summary QC Report form, which is one of the more tricky users of client-side scripting (and with which you're most familiar), to make sure I didn't break anything there.Oh, and the Manage Filter Set page. That one's a doozy!

Comment entered 2025-02-05 17:50:30 by Englisch, Volker (NIH/NCI) [C]

I looked at these pages on DEV and didn't see anything odd.  It appears that everything I looked at is working as expected.

I thought it was a little odd, when looking at the Summary QC Report and checking the "Include Images" checkbox that the option "Use publishable version" was added directly underneath.  I remember this option to be a little indented as a child element of the "Include Images" parent.

I think I don't like the page being so "jumpy".  I'll get used to it. 🙂

Comment entered 2025-02-05 19:16:51 by Kline, Bob (NIH/NCI) [C]

This might jog your memory.

Comment entered 2025-02-06 10:19:38 by Kline, Bob (NIH/NCI) [C]

Dependency on jQuery has been removed on CDR DEV.

Comment entered 2025-02-06 10:42:39 by Kline, Bob (NIH/NCI) [C]

https://github.com/NCIOCPL/cdr-admin/commit/46f3d671
https://github.com/NCIOCPL/cdr-admin/commit/413fd777
https://github.com/NCIOCPL/cdr-admin/commit/065fc716
https://github.com/NCIOCPL/cdr-lib/commit/2929aa0
https://github.com/NCIOCPL/cdr-lib/commit/bca266c

Attachments
File Name Posted User
uswds-tooltip.png 2025-02-03 13:57:30 Kline, Bob (NIH/NCI) [C]

Elapsed: 0:00:00.001566