UKGovLD/registry-core

upgrade jquery.min.js version used in registry software

Opened this issue · 0 comments

We are trying to upgrade jquery.min.js version used in registry software here at NWS. Our target is version 3.5.0 or higher. The NVD reports that JQuery hosted on the remote web server prior to version 3.5.0 is subject to cross site scripting vulnerability, and suggests upgrading to 3.5.0 or later. See here https://nvd.nist.gov/vuln/detail/CVE-2020-11022

However, what we find out is that we can not make this work. What we tried is updating jquery.min.js file in folder /opt/ldregistry/ui/js/ and also updating the <script> tag accordingly in .vm files in /opt/ldregistry/templates/ folder.

We suspect there are filters which intercept requests of pattern /ui/* that prevent the effort above from getting successful. However we can not figure out how to circumvent these filters without affecting the registry software working properly.

Has anyone ever tried upgrading jquery js lib successfully?