jQuery FTW!
Antechinus recently committed a change (REV 10827) to add jQuery 1.6.4 minified to SMF. It is a huge change for SMF. We've always written our own code with minor exceptions. Now we're escaping the "not invented here" mentality and using a proven product with a great community. Not only will this increase our development speed for Javascript based method, but it will also give customization writers a boost as well. There's the possibility of speeding up your sites, lessening what needs to be downloaded, and quickly and easily adding more Javascript based features. There's a huge jQuery community with great documentation to help with issues that may come up.
"jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript." -- jQuery.com. It is also free open source software (FOSS) released under a MIT or GPL license which allows us to change and distribute it.
Some places you might find jQuery used: collapsing categories, drag & drop in several places (file attachments, board ordering, menu ordering), menus, quick reply, image viewing with a lightbox, color selectors, anything using AJAX, and possibly a lot more.
We're always looking for people to help us out. So, start gearing up to use jQuery in your customizations and read more about it. Make some good, open source customizations using jQuery and you might get an invite to the Development Team.
If you're interested in helping SMF with jQuery development, see the Bug Reports board.
To learn more about jQuery, see the jQuery website.
"jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript." -- jQuery.com. It is also free open source software (FOSS) released under a MIT or GPL license which allows us to change and distribute it.
Some places you might find jQuery used: collapsing categories, drag & drop in several places (file attachments, board ordering, menu ordering), menus, quick reply, image viewing with a lightbox, color selectors, anything using AJAX, and possibly a lot more.
We're always looking for people to help us out. So, start gearing up to use jQuery in your customizations and read more about it. Make some good, open source customizations using jQuery and you might get an invite to the Development Team.
If you're interested in helping SMF with jQuery development, see the Bug Reports board.
To learn more about jQuery, see the jQuery website.
That being said, using jQuery over regular javascript doesn't add any security holes to your server. You have to have bad server-side code running, and even then you can exploit the same holes in that server-side code with plain old javascript.
IMHO of course.
http://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/
http://insecureweb.com/javascript/secure-your-ajax-request-with-jquery/
The exploit's discoverer gives 3 ways to combat this type of attack, but discovers there are ways around at least 2 of them.
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
There are many plugins for JQuery. Some of them are well written and other may not be or are not as complete as they could be... Good People tend to trust plugins where as bad People like to exploit them. Maybe we should have SMF approved plugins.
That being said, I do not mind JQuery being added to SMF but I do hesitate with SMF depending on JQuery as it's core to function. I like to see the heart of the JS for SMF being provided by SMF.
As far as my knowledge goes for this subject, you just need to ply your utmost attention to the happenings of DOM to control the behavior of JS/JQuery.
Moreover whenever server or permissions sort of things comes into play I always tend to go for server side languages. Languages like JS are best for front end/client side.
The gmail exploit happened because the server passed contact information information to the client-side javascript, so it is available to the user sending email, which is the purpose of gmail. And a piece of javascript malware running in the same browser session could request the contact information in the same way that the legitimate client-side script ordinarily did. And then use that information to send spam to an entire gmail contact list.
The danger in this case is in passing confidential information to the client-side script.
Captcha
Editor
Javascript Frameworks
all three things that despite the quality of talent around here, you won't match the FOSS alternatives.
Theres always Mootools, which is less used, but equally powerful.
But seriously, if SMF uses a javascript framework doesn't automatically make it vulnerable if there are plugins for it that ARE unsafe. That plugin still have to be added somehow, most likely by a designer etc. and it would not be included in a pure SMF installasion. Its same today really: if a theme use a unsafe javascript right now, its risking SMF in just the same way..but you can't blame SMF for it.
The fact that JQuery is popular makes it more targeted for people finding vulnerabilities, true..but it also have more people making it SAFE. Don't forget that.
So, now that SMF relies on 3rd part software for it's Javascript, I assume SMF will release a "security" update to coincide with a JQuery update?
There you go... have SMF check for jquery updates and download them automatically?
I don't see why we'd have to - you can just update the jQuery version you're serving in the admin area. Or at least you should be able to - I'll poke Spuds about it.
That would mean writing the javascript twice, which is ridiculous. If you don't want to use jQuery, you'll end up with the same experience as someone who disables javascript, pretty much.
This is SMF. Most admins will not be able to do that. I do not understand the logic to include 3rd party software that will be minimally supported.
Humm...
I always was under the impression that if an admin wanted to add a 3rd party software it was their responsibility. Take coppermine for example. I always have to check for the latest update then apply it. Of course, the programmers do not make it easy. Their solution is a complete reinstall. Every now and then (before FF) I miss an update by a few months and a bad guy will take advantage of it. Do not get me wrong, I am not dead set against it but, it just seems like another piece of software I have to keep an eye on and maintain. Bla! I am lazy at heart...
Not interested in disabling js. More interested in what to do with all those sprinkles.
My question does SMF really need all the JS that is in it? It seems to be sprinkled all over the banana split. Sometimes I wish I could have my sprinkles separate... and eat them when I feel like it. What is going to be done about all those sprinkles?
The sprinkles are all over the place. Add jQuery is like taking all of them and putting them in once big sprinkle storage container. Once this is done you need to figgure out an interface. I thought that things like this were the reason for the development of integration hooks in the first place. Is this really less work?
What jQuery allows for the devs and themers to write complicated JS a lot better and easier with a greater compatibility between browsers.
Some mods have jquery bundled with them so those mods should be updated too