jQuery FTW!

Started by Joshua Dickerson, December 30, 2011, 01:06:52 PM

Previous topic - Next topic

emanuele

So we have to keep a very low profile with SMF in a way that it doesn't become popular enough to be exploited?...

* emanuele likes generalizations. :P


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Angelina Belle

Quote from: Joker™ on March 04, 2012, 07:51:28 AM
Moreover whenever server or permissions sort of things comes into play I always tend to go for server side languages. Languages like JS are best for front end/client side.
Yes. The danger exists when such information is passed to the client side -- like the memberlist, when it is made available for auto-match when you are sending a PM.

The gmail exploit happened because the server passed contact information information to the client-side javascript, so it is available to the user sending email, which is the purpose of gmail. And a piece of javascript malware running in the same browser session could request the contact information in the same way that the legitimate client-side script ordinarily did. And then use that information to send spam to an entire gmail contact list.

The danger in this case is in passing confidential information to the client-side script.
Never attribute to malice that which is adequately explained by stupidity. -- Hanlon's Razor

Eudemon

indeed, jquery is a nice product, been using it for a while

karlbenson

Don't re-invent the wheel

Captcha
Editor
Javascript Frameworks

all three things that despite the quality of talent around here, you won't match the FOSS alternatives.

Antechinus

Yup. It's the sensible option, and can be used safely. Lots of sites already use it safely, so there's no reason why SMF cannot.

bloc

Quote from: butchs on March 03, 2012, 06:54:31 AM
The biggest risk of JQuery is it's popularity.  The exploit effort always increases with popularity.

There are many plugins for JQuery. Some of them are well written and other may not be or are not as complete as they could be...  Good People tend to trust plugins where as bad People like to exploit them.  Maybe we should have SMF approved plugins.

That being said, I do not mind JQuery being added to SMF but I do hesitate with SMF depending on JQuery as it's core to function.  I like to see the heart of the JS for SMF being provided by SMF.


Theres always Mootools, which is less used, but equally powerful. 8)

But seriously, if SMF uses a javascript framework  doesn't automatically make it vulnerable if there are plugins for it that ARE unsafe. That plugin still have to be added somehow, most likely by a designer etc. and it would not be included in a pure SMF installasion. Its same today really: if a theme use a unsafe javascript right now, its risking SMF in just the same way..but you can't blame SMF for it.

The fact that JQuery is popular makes it more targeted for people finding vulnerabilities, true..but it also have more people making it SAFE. Don't forget that.

butchs

It seems to me that we really have no choice since the decision was made some time ago.   O:)

So, now that SMF relies on 3rd part software for it's Javascript, I assume SMF will release a "security" update to coincide with a JQuery update?   :-X

There you go...  have SMF check for jquery updates and download them automatically?   :o  Here is a thought, why not make jquery optional by providing hooks.  If it is installed then the "additional features" are be enabled.  Otherwise, plan jane SMF JS.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Antechinus

The code allows for calling the latest from the Goggle CDN, or from using a local jQuery version of your choice.

Fustrate

Quote from: butchs on April 15, 2012, 06:57:23 PM
It seems to me that we really have no choice since the decision was made some time ago.   O:)

So, now that SMF relies on 3rd part software for it's Javascript, I assume SMF will release a "security" update to coincide with a JQuery update?   :-X

I don't see why we'd have to - you can just update the jQuery version you're serving in the admin area. Or at least you should be able to - I'll poke Spuds about it.

QuoteThere you go...  have SMF check for jquery updates and download them automatically?   :o  Here is a thought, why not make jquery optional by providing hooks.  If it is installed then the "additional features" are be enabled.  Otherwise, plan jane SMF JS.

That would mean writing the javascript twice, which is ridiculous. If you don't want to use jQuery, you'll end up with the same experience as someone who disables javascript, pretty much.
Steven Hoffman
Former Team Member, 2009-2012

butchs

Quote from: Fustrate on April 15, 2012, 09:47:05 PM
I don't see why we'd have to - you can just update the jQuery version you're serving in the admin area. Or at least you should be able to - I'll poke Spuds about it.

This is SMF.  Most admins will not be able to do that.  I do not understand the logic to include 3rd party software that will be minimally supported.

Humm...
Quote from: CodeIgniter User Guide Version 2.1.0CodeIgniter provides a library to help you with certain common functions that you may want to use with Javascript. Please note that CodeIgniter does not require the jQuery library to run, and that any scripting library will work equally well. The jQuery library is simply presented as a convenience if you choose to use it.

I always was under the impression that if an admin wanted to add a 3rd party software it was their responsibility.  Take coppermine for example. I always have to check for the latest update then apply it.  Of course, the programmers do not make it easy.  Their solution is a complete reinstall.  Every now and then (before FF)  I miss an update by a few months and a bad guy will take advantage of it.  Do not get me wrong, I am not dead set against it but, it just seems like another piece of software I have to keep an eye on and maintain.  Bla!  I am lazy at heart...  :o

Quote from: Fustrate on April 15, 2012, 09:47:05 PM
That would mean writing the javascript twice, which is ridiculous. If you don't want to use jQuery, you'll end up with the same experience as someone who disables javascript, pretty much.

Not interested in disabling js.  More interested in what to do with all those sprinkles.   :laugh:

My question does SMF really need all the JS that is in it? It seems to be sprinkled all over the banana split.  Sometimes I wish I could have my sprinkles separate... and eat them when I feel like it.  What is going to be done about all those sprinkles?

The sprinkles are all over the place.  Add jQuery is like taking all of them and putting them in once big sprinkle storage container.  Once this is done you need to figgure out an interface.  I thought that things like this were the reason for the development of integration hooks in the first place.  Is this really less work?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

live627

Have you even USED jQuery?

Thantos

jQuery is not a plugin that has to be kept up to date.  In fact, you rarely want to just include the most recent version.  Instead you pick a version and upgrade after you've tested.  At work we were running 1.4 for a few years and are just now updating to 1.7.  Looking at the release notes I don't recall any security releases.  I would expect that SMF would package the jQuery file that was used and tested against.  If jQuery released a minor version that fixed some critical issue then SMF could easily release their own patch for it via the package manager.

What jQuery allows for the devs and themers to write complicated JS a lot better and easier with a greater compatibility between browsers.

Akyhne

Quote from: Thantos on April 16, 2012, 11:00:20 PM
If jQuery released a minor version that fixed some critical issue then SMF could easily release their own patch for it via the package manager.
It isn't really more complicated than that!

vpn

Been waiting for this for a long time.

Some mods have jquery bundled with them so those mods should be updated too :)
VPN Tutorials [nofollow]
VPN Support Forums [nofollow]

Kindred

well.... all mods would have to be updated for 2.1 anyway....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

live627

Quote from: Kindred on October 10, 2012, 06:14:21 PM
well.... all mods would have to be updated for 2.1 anyway....
not all mods need an update...

Advertisement: