Advertisement:

Author Topic: jQuery FTW!  (Read 66199 times)

Offline Joshua Dickerson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,777
  • Gender: Male
    • joshuaadickerson on GitHub
    • joshuaadickerson on LinkedIn
jQuery FTW!
« on: December 30, 2011, 01:06:52 PM »
Antechinus recently committed a change (REV 10827) to add jQuery 1.6.4 minified to SMF. It is a huge change for SMF. We've always written our own code with minor exceptions. Now we're escaping the "not invented here" mentality and using a proven product with a great community. Not only will this increase our development speed for Javascript based method, but it will also give customization writers a boost as well. There's the possibility of speeding up your sites, lessening what needs to be downloaded, and quickly and easily adding more Javascript based features. There's a huge jQuery community with great documentation to help with issues that may come up.

"jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript." -- jQuery.com. It is also free open source software (FOSS) released under a MIT or GPL license which allows us to change and distribute it.

Some places you might find jQuery used: collapsing categories, drag & drop in several places (file attachments, board ordering, menu ordering), menus, quick reply, image viewing with a lightbox, color selectors, anything using AJAX, and possibly a lot more.

We're always looking for people to help us out. So, start gearing up to use jQuery in your customizations and read more about it. Make some good, open source customizations using jQuery and you might get an invite to the Development Team.


If you're interested in helping SMF with jQuery development, see the Bug Reports board.
To learn more about jQuery, see the jQuery website.
Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

The Craw

  • Guest
Re: jQuery FTW!
« Reply #1 on: December 30, 2011, 01:47:49 PM »
Heck yes! jQuery makes life so much easier when it comes to ajax applications and other javascript intensive websites. It shortens the code a lot. I'm also glad to see you guys using it for more than just animations, which are cool, but not worth including a library for.

Offline Robert.

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,074
  • Gender: Male
    • nedroden on GitHub
Re: jQuery FTW!
« Reply #2 on: December 30, 2011, 04:03:42 PM »
+1
Software Engineering student
DraiWiki | Project Alpha

Offline Anthony`

  • Sophist Member
  • *****
  • Posts: 1,347
  • Gender: Male
  • Formerly Project Evolution
    • AnthonyCalandra on GitHub
Re: jQuery FTW!
« Reply #3 on: December 30, 2011, 04:35:22 PM »
This is a very exciting update, cracking out the jQuery books!

Offline Anthony`

  • Sophist Member
  • *****
  • Posts: 1,347
  • Gender: Male
  • Formerly Project Evolution
    • AnthonyCalandra on GitHub
Re: jQuery FTW!
« Reply #4 on: December 31, 2011, 04:10:35 PM »
Just to clear this up: we are allowed to use plugins in our modifications as long as they conform to the license of the plugin?

Offline SleePy

  • Let there be light!
  • Site Team Lead
  • SMF Master
  • *
  • Posts: 30,417
  • Gender: Male
  • Thats his happy face.
    • jdarwood007 on GitHub
    • @jdarwood on Twitter
    • SleePy Code - My personal site
Re: jQuery FTW!
« Reply #5 on: December 31, 2011, 06:57:34 PM »
That should be fine.  As long as the license from the plugin permits redistribution in the license your modification will use, it shouldn't be any trouble.
Jeremy D — Site Team / SMF Developer
Support the SMF Support team!
Profiles:
GitHub

Offline InfoStrides

  • Full Member
  • ***
  • Posts: 497
  • www.TheInfoStrides.com
    • InfoStrides on Facebook
    • @TheInfoStrides on Twitter
    • TheInfoStrides.com
Re: jQuery FTW!
« Reply #6 on: February 26, 2012, 04:15:08 PM »
jQuery is really fantastic. I'm currently exploring it.

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,641
  • Gender: Male
  • One of the french SMF translators
Re: jQuery FTW!
« Reply #7 on: March 01, 2012, 01:59:22 PM »
More security holes?
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline Joshua Dickerson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,777
  • Gender: Male
    • joshuaadickerson on GitHub
    • joshuaadickerson on LinkedIn
Re: jQuery FTW!
« Reply #8 on: March 01, 2012, 02:42:15 PM »
Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,730
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: jQuery FTW!
« Reply #9 on: March 01, 2012, 06:18:08 PM »
I played with it for a while but decided not to use it.  I was looking at it for security reasons for a challenge page for a  mod I am updating.  Thought it would save some time.  After some research, I discovered that CloudFlare started with JQuery and then stopped using it for unknown security reasons.  Furthermore the JQuery code I saw was client-side and can be manipulated.  Though more difficult to implement, I opted for server-side php sprinkled with some small JS code.
 :-X
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • Fustrate on GitHub
    • @Fustrate on Twitter
    • Fustrate
Re: jQuery FTW!
« Reply #10 on: March 01, 2012, 06:49:18 PM »
You should never depend on client-side code for security. Always assume that anything the user can touch is insecure and has been altered maliciously.

That being said, using jQuery over regular javascript doesn't add any security holes to your server. You have to have bad server-side code running, and even then you can exploit the same holes in that server-side code with plain old javascript.
Steven Hoffman
Former Team Member, 2009-2012

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,641
  • Gender: Male
  • One of the french SMF translators
Re: jQuery FTW!
« Reply #11 on: March 02, 2012, 05:53:36 AM »
Being dependant of other software is always a security risk in more. then more dependances too. That's why unknown woudn't use 3rd party codes...
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline Joshua Dickerson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,777
  • Gender: Male
    • joshuaadickerson on GitHub
    • joshuaadickerson on LinkedIn
Re: jQuery FTW!
« Reply #12 on: March 02, 2012, 08:50:14 AM »
Everything is a security risk. There is a risk in everything you do. You risk breaking your ankle by taking a step forward, does that stop you from walking?
Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: jQuery FTW!
« Reply #13 on: March 02, 2012, 09:07:50 AM »
You are relying on the linux kernel (or the windows one), on the particular distribution you are using (or the particular version of windows), then on apache, mysql/postgre/sqlite, php... am I missing anything? Any of those has (for sure something is there, not yet discovered, but it's there) for sure a more problematic (being server side) security hole than any bug jQuery can have. ;)
IMHO of course.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Angelina Belle

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 7,586
Re: jQuery FTW!
« Reply #14 on: March 02, 2012, 01:22:32 PM »
I think the issue is that jQuery gives you tools that, if you are not careful, you can really open yourself up to XSS attacks which are fired off when a user on your site clicks a malicious link -- on your site. Which is easy to arrange if your site is a forum (or GMail, which is where the vulnerability was first discovered). The malicious site has access to the users' session cookie because it is accessed through the same browser session. It can send an HTTP request for JSON data to your site, that only the victim should be able to use. Like the victim's contact list. Anything the website can serve up can be captured and parsed. Pure JSON-formatted files are especially vulnerable. Since there have been requests for more AJAXy kind of stuff in the future, this could be relevant. The malicious website javascript can then do many things with that data -- email it to a bad guy, for example.

http://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/
http://insecureweb.com/javascript/secure-your-ajax-request-with-jquery/

The exploit's discoverer gives 3 ways to combat this type of attack, but discovers there are ways around at least 2 of them.
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
Never attribute to malice that which is adequately explained by stupidity. -- Hanlon's Razor

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • Fustrate on GitHub
    • @Fustrate on Twitter
    • Fustrate
Re: jQuery FTW!
« Reply #15 on: March 02, 2012, 04:15:19 PM »
jQuery doesn't give an attacker access to anything more than plain Javascript does. It's that simple. There is no added security risk from jQuery, and there never will be.

I think the issue is that jQuery gives you tools that, if you are not careful, you can really open yourself up to XSS attacks
And PHP is worse in that respect if you're not careful with your code, but we still use it. You just have to know how to avoid making those mistakes.
Steven Hoffman
Former Team Member, 2009-2012

Offline Angelina Belle

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 7,586
Re: jQuery FTW!
« Reply #16 on: March 02, 2012, 04:42:00 PM »
I agree, Fustrate.  It's not JQuery itself that's the danger, directly.  It's the cool things JQuery tempts you to do that  you have to watch out for.  The devil is in the details.
Never attribute to malice that which is adequately explained by stupidity. -- Hanlon's Razor

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,730
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: jQuery FTW!
« Reply #17 on: March 03, 2012, 06:54:31 AM »
The biggest risk of JQuery is it's popularity.  The exploit effort always increases with popularity.

There are many plugins for JQuery. Some of them are well written and other may not be or are not as complete as they could be...  Good People tend to trust plugins where as bad People like to exploit them.  Maybe we should have SMF approved plugins.

That being said, I do not mind JQuery being added to SMF but I do hesitate with SMF depending on JQuery as it's core to function.  I like to see the heart of the JS for SMF being provided by SMF.
« Last Edit: March 03, 2012, 06:58:50 AM by butchs »
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,641
  • Gender: Male
  • One of the french SMF translators
Re: jQuery FTW!
« Reply #18 on: March 03, 2012, 07:42:40 AM »
Exactly.
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline Joker™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 5,914
  • Gender: Male
    • siddhartha-gupta on GitHub
Re: jQuery FTW!
« Reply #19 on: March 04, 2012, 07:51:28 AM »
The biggest risk of JQuery is it's popularity.  The exploit effort always increases with popularity.

As far as my knowledge goes for this subject, you just need to ply your utmost attention to the happenings of DOM to control the behavior of JS/JQuery.

Moreover whenever server or permissions sort of things comes into play I always tend to go for server side languages. Languages like JS are best for front end/client side.
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved