Problem/Motivation
Due to SA-CONTRIB-2015-123 that was fixed in the 7.x-2.x branch only, 7.x-3.x will need to address this security issue before a full major release.
Proposed resolution
Remove the overlay.js replacement entirely and use the newly added jQuery Migrate plugin to offset the cost of keeping up with core.
Remaining tasks
- Create a patch that removes all the files under replace/misc/1.9 and force enable the jQuery Migrate plugin if and when these files (from core) are detected.
User interface changes
Show helper text in the settings UI explaining why the plugin may be force enabled.
API changes
None
Comments
Comment #1
markhalliwellThe 7.x-3.x branch doesn't really need the same patch. The only reason jQuery Update was replacing core's overlay was to deal with the fact that jQuery 1.9+ removed deprecated methods.
Now that the jQuery Migrate plugin is in 7.x-3.x (not 7.x-2.x), we just need to remove the overlay-parent.js replacement file entirely. Now we can simply force enable the jQuery migrate plugin if and when the overlay-parent.js (from core) is detected in the JS array (or if the overlay module is enabled, not sure which would be better/easier?).
We should also display some helping text in the UI explaining _why_ the plugin is force enabled.
Comment #2
markhalliwellComment #3
markhalliwellComment #4
markhalliwellActually the same could be said for the other core replacement file too, replace/misc/1.9/jquery.ba-bbq.js
Comment #5
markhalliwellWill create a follow-up for the "force" or rather "suggestion" to enable jQuery Migrate for outdated core files.
Comment #7
markhalliwell