XF 2.1 XenForo 2.1.8 and above uses jQuery 3.4.1 (deprecation warning)

[Chris D]

We had already upgraded XF 2.2 to use jQuery 3.4.x but we have made the decision to bring that change forward to account for a potential XSS in jQuery 3.3.1, which you can read about here: https://xenforo.com/community/threads/jquery-3-3-1-cross-site-scripting-vulnerability.177281/

To be clear, we do not believe XF to be exploitable with this out of the box and it is generally unlikely to be, even with add-on and other third party code.

However, with this, we need to make you aware of a few deprecations.

Deprecating positional selectors and the sunset of Sizzle

...

Specifically, jQuery 3.4.0 is deprecating :first, :last, :eq, :even, :odd, :lt, :gt, and :nth. When we remove Sizzle, we’ll replace it with a small wrapper around querySelectorAll, and it would be almost impossible to reimplement these selectors without a larger selector engine.

We think this trade-off is worth it. Keep in mind we will still support the positional methods, such as .first, .last, and .eq. Anything you can do with positional selectors, you can do with positional methods instead. They perform better anyway.

While the positional selectors will still work, for now, we recommend you make changes for now to avoid code breakages when they are finally removed.

As an example, if you have some code which looks like:

var $header = $content.find('.block-header:first');

You would change this to:

var $header = $content.find('.block-header').first();

We recommend searching all of your JavaScript code (and jQuery code from vendors) to see if these positional selectors have been used: :first, :last, :eq, :even, :odd, :lt, :gt, and :nth.

If they have been used we recommend making changes now so that when we upgrade to a future version of jQuery and those selectors are removed your code will continue to work.

 

[Nulumia]

Though I know some people may hate it, this is one of the things I like about Xenforo - things like bundled assets and specs are kept very much up to date. Wordpress tends to do a decent job for the most part, but there's plenty of major platforms that still run years-old core libraries (probably not wanting to upset entrenched users & their systems running on them).

I suppose once you have a large established userbase, it's hard to tell them all to go through painful upgrades without rioting. But Xenforo keeping this practice from the start I feel keeps people on their toes in a good way

 

[Lukas W.]

Wordpress is one of the examples I would name for slacking behind to not displease their entrenched users. They're still stuck on jQuery 1.12 to just name the current given example, but their core code is riddled with outdated programming principles, implementations, etc., you name it. All in the name of "backwards compatibility".

 

[Kirby]

We had already upgraded XF 2.2 to use jQuery 3.4.x

Way more important than upgrading XF 2.2 to use jQuery 3.4 would be to release a XF 2.2 DP
JK, thanks for the info.

 

[Nulumia]

They're still stuck on jQuery 1.12

Is it really still that bad?? I haven't been through the guts of most recent versions but can't believe they're that far behind

but their core code is riddled with outdated programming principles, implementations, etc., you name it

Not just core, but a year or two back I saw an article where the top 100 or so power selling themes from ThemeForest were tested and were found to be rampant in security flaws lol. Yikes..

I wonder if vB5 has fared any better? Haven't followed the platform in some time now after moving to XF

 

[Lukas W.]

Is it really still that bad?? I haven't been through the guts of most recent versions but can't believe they're that far behind

1.12.4 for three years and counting. They have jQuery migrate in place, but the longer they wait, the more breaking changes they accumulate.

Not just core, but a year or two back I saw an article where the top 100 or so power selling themes from ThemeForest were tested and were found to be rampant in security flaws lol. Yikes..

Losely following the changelog for WordPress and the number of security issues in the main code alone, I'm not surprised. Especially considering there's little to no exposed methods for devs to harden against even common attack vectors.

I wonder if vB5 has fared any better? Haven't followed the platform in some time now after moving to XF

In what regards? I think vBs main problem is that they were too lazy too long, just like many phone developers missed to jump onto the smartphone train.

 

[Nulumia]

In what regards? I think vBs main problem is that they were too lazy too long, just like many phone developers missed to jump onto the smartphone train.

Agreed. Memory's getting fuzzy on it at this point, but I believe around the vB4-vB5 transition phase, they were going through a lot of backlash over said laziness, when security loopholes and outdated code were coming into question. Seeing as how core vB talent had moved to Xenforo, they definitely seemed to want to run a tighter ship from the start.

 

[delicatebobster]

So xf 2.1.8 was released now, looks like i have some work todo before i can upgrade

 

[briansol]

There are 2 known xss flaws in jquery 3.4.1. I hope 2.2 is updated to use 3.5.1 or higher at this point.

jquery 3.4.1 vulnerabilities | Snyk

Learn more about known jquery 3.4.1 vulnerabilities and licenses detected.

snyk.io

 

[Mike]

Yes, 2.2 uses 3.5.1.

We have currently opted not to include it in 2.1 as the fixes for the issues also introduce some very subtle backwards compatability issues (we know of 1 specific issue in XF though others may come out over time). The issues also require receiving a particular set of HTML in a certain method and we are not aware of any cases within XF that are exploitable.