A jQuery 1.x vulnerability exists and no fix is planned

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

https://github.com/jquery/jquery/issues/2432#issuecomment-290983196

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

WordPress and jQuery issues

First, I don’t remember where I found this along the way, but this is a smart and efficient way to include jQuery in your WordPress themes. Just add this to your theme’s functions.php file:

// ADDING JQUERY
add_action( ‘init’, ‘jquery_register’ );
add_filter( ‘script_loader_src’, ‘jquery_unversion’ );

function jquery_register() {

if ( !is_admin() ) {
wp_deregister_script( ‘jquery’ );
wp_register_script( ‘jquery’, ( ‘http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js’ ), false, ‘1.x’, false );
wp_enqueue_script( ‘jquery’ );
}
}

// remove version tag to improve cache compatibility
function jquery_unversion( $src ) {

if( strpos( $src, ‘ajax.googleapis.com’ ) )
$src = remove_query_arg( ‘ver’, $src );

return $src;
}

Now, the issue I have been having is that when I try to add your own jQuery scripts or functions in your theme’s header.php file, I always get this error:

“$ is not a function”

What?  Yes it is, dammit!

Turns out WordPress has reserved the $ character, so you have to rename all occurence of $ to ‘jQuery’.  Example:

Before

<script type=”text/javascript”>
$(document).ready(function() {
$(‘.slideshow’).cycle({
fx: ‘fade’,
timeout: 4000,
speed: 2000
});
});
</script>

After

<script type=”text/javascript”>
jQuery(document).ready(function() {
jQuery(‘.slideshow’).cycle({
fx: ‘fade’,
timeout: 4000,
speed: 2000
});
});
</script>

Hope that saves someone the hours of frustration I have had with this.

Some CSS Resources

I found an excellent resource for Cascading Style Sheets (CSS), which has a list of great tutorials and examples for the beginner or intermediate CSS user. These are the basics when any developer or designer should have a handle on:

9 Top CSS Essential Skills That Every Web designer Should Learn

If you are looking for something a bit more advanced and on the bleeding edge, check out CSS Tricks, an excellent site with video tutorials and LOTS of other great CSS and design-related things. The author of the site is into jQuery too, so he has a lot of blog posts about tips and tricks related to that. Great stuff!