Re: jquery / CVE-2020-7656

To: "Brian May" <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: jquery / CVE-2020-7656
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 10 Jun 2020 06:15:03 -0000
Message-id: <[🔎] 13e0426f-de0e-49a8-a7ba-12674cefd678@www.fastmail.com>
In-reply-to: <[🔎] 87wo4fc34l.fsf@silverfish.pri>
References: <[🔎] 87blltciyw.fsf@silverfish.pri> <[🔎] f69cf4c2-2cd1-435b-a876-f943642baa83@www.fastmail.com> <[🔎] 87wo4fc34l.fsf@silverfish.pri>

Hi Brian,

> Have you considered the possibility of back porting the parseHTML
> function?

I did consider this. However, as I implied last time — and you have
independently discovered! — Javascript development is very weird with
lots of edge-cases, and that is before we consider the inconsistencies
of a higher-level API like jQuery and the underlying DOM APIs etc. etc.

I would therefore very mindful about introducing regressions by this
apparently simple approach.

In any case, I have a few other things on my plate (including fixing
some upstream-introduced regressions in Django) so I would not be able
to look at this before you would. In any case, I only know enough
Javascript to know to avoid it anyway. Sorry I cannot be of more direct
help here, but you have my moral support.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: jquery / CVE-2020-7656
  - From: Brian May <bam@debian.org>

References:
- jquery / CVE-2020-7656
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: jquery / CVE-2020-7656
  - From: "Chris Lamb" <lamby@debian.org>
- Re: jquery / CVE-2020-7656
  - From: Brian May <bam@debian.org>

Prev by Date: Re: jquery / CVE-2020-7656
Next by Date: LTS report for May 2020
Previous by thread: Re: jquery / CVE-2020-7656
Next by thread: Re: jquery / CVE-2020-7656
Index(es):
- Date
- Thread