does scriptaculous still have Javascript hacking vulnerability? - scriptaculous

Scriptaculous is listed with the Javascript Hacking vulnerability in the following site:
[http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2384]
Does any know if this has been resolved since the article was posted in 2008?

I think the vulnerability of Scriptaculous was due to Prototype js 1.6.
https://security-tracker.debian.org/tracker/CVE-2007-2383
If u want to use scriptaculous without vulnerability u have to replace the prototype js file in the scriptaculos with the latest prototype js version. The latest today I think is 1.7.3

Related

Globalize.js API changes and jQuery UI

I'm trying to play with the examples from jQuery UI, such as this one. I would like to use the globalization functions (for a currency field, for example), but it seems that Globalize.js has gone through a major API change, so that the code used in the UI examples doesn't work with the Globalize version I downloaded. For example, the jQuery UI depends on a Globalize.parseFloat function that doesn't exist in that version.
So apparently jQuery UI uses a legacy version of Globalize.js, but how should I download it? I couldn't find any information on that, neither on the API changes. I could download the JS files that are included by jQuery UI, obviously, but I was hoping for a "more official" solution.
I can confirm that the Globalize 1.0.0-alpha releases are incompatible with the current jQuery UI 1.11.x releases. I have successfully used Globalize 0.1.1 with jQuery UI 1.11.x.
This blog post from jQuery UI indicates that they are "...working on a full rewrite of the datepicker widget. The rewrite will feature a far simpler API that will make customizations a lot easier. The rewrite builds on top of the rewritten Globalize library, which builds on top of CLDR, a comprehensive source for globalization data.". Hopefully, this rewrite will include more than just datepicker!
It's 2016 already, two years later, but jQuery 1.11.x is still current (v1.12 in BETA). And I ran into this same issue for a brown-field project I'm doing. I managed to solve this thanks to the OP's analysis that jQuery UI indeed assumes the legacy Globalize version, and the solution of #wedgef5 to switch back to v0.1.1 of Globalize.
The OP did ask for an official answer. I guess there is none, but current best practice is to use a package manager. I use Bower which downloads the current version (now v1.1) by default. Assuming you did the same, you fix this in Bower as follows:
bower uninstall globalize --save
bower install globalize#0.1.1 --save
If you use a different package manager, something similar applies. After this code similar to this example works :). Your bower.json should be changed:
{
"name": "yourpackage",
...
"dependencies": {
...
"globalize": "0.1.1" // Used to be: "globalize": "^1.1.1"
...
}
...
}
Have you tried going to the releases tab in the globalize github project? You can cross-reference the release dates of globalize and jQueryUI and make your best guess from there.

How to use Twitter bootstrap with rails 3.0

How am I supposed to use bootstap with rails 3.0 rather than >= 3.1 ? is there any plugin which supports rails 3.0 ?
I think all of the bootstrap gems require Rails 3.1 or greater. I recently had bootstrap on a 3.0.10 Rails app using the Less.js file that you download from their site: http://lesscss.org/. This is the simplest most basic way to use Twitter-Bootstrap; the file compiles all of your "my_file.less" files into css on the client side.
However, if you want to modify the variables (which is the real power of using this framework) than you need to compile it. You can take a look at this Less compiler: http://wearekiss.com/simpless. I've never tried that, but I hear good things about it and it works on Mac, Linux, or PC.
Probably the easiest thing to do - if you want to compile the code on server side - would be to upgrade your project to Rails 3.1.1 and just use one of the Twitter Bootstrap gems. This is actually exactly what I ended up doing. I was able to update my app to 3.1.1 and I used the Boostrap-Sass gem (just because I slightly prefer Sass).
If you decide to upgrade, follow this RailsCast: http://railscasts.com/episodes/282-upgrading-to-rails-3-1
It helped me a lot.
Ryan Bates also offers a video on how to incorporate Twitter Bootstrap into a Rails app: http://railscasts.com/episodes/328-twitter-bootstrap-basics.
Here's a link to the Sass version of Bootstrap that I am currently using: https://github.com/thomas-mcdonald/bootstrap-sass
Many solutions : you can upgrade to rails 3.1+, might be the better (not the easier, depending on you app) way. You can include the static files yourself if you don't intend to change anything that is handled at the less level. You can do it even if you intend to, but you'll have to recompile the files yourself (or find a way to automate it). Finally, there might be a gem out there that is compatible with rails pre-asset-pipeline, or an old version of a gem. You'll have to look for yourself if you absolutely want a gem.

JQuery UI with Primefaces

I have some old code that uses Primefaces 2.2.1 but I now that I need to upgrade the version to 3.1.1 to use some of the new features, some of my javascript functionality is breaking.
I tracked down the issue and realized that in 2.2.1, the jQuery UI plugin was included out of the box but for some reason it is missing in 3.1.1.
Does anyone know why this happened and how can I get my javascript to function correctly without changing it?
I have fixed the original problem posed by this question by downloading the jQuery UI plugin and including manually.

Is there a definitive solution for auto_complete in Rails?

I'm using DHH's auto_complete plugin, but am in the process of updating my dependencies on plugins to gems where feasible. Is there a newer, gemified version of this library, or has another solution emerged as the de facto standard?
I switched to jQuery autocomplete a long time ago, leaving outdated plugins in favor of unobtrusive custom javascript code.

JQuery + rails problem

I'm new to JQuery and so far I'm using prototype. But now I want to use JQuery and the thing is I done want to change my old code, which uses prototype
I installed jrails plugin also
my question is can i use
new Ajax.Updater etc.. kind of methods with JQuery (having the jrails plugin installed)
(it doesnt work for me)
BTW - I'm getting JQuery from here
http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
thanks in advance
cheers
sameera
I'm not sure if I understand your question completely but it seems to me that you are asking if you can use both Prototype and jQuery because you don't want to have to change all your old code. The best thing to do would be to put jQuery in noConflict mode. Under your inclusion of the jquery file from google, just do this:
<script>
var $j = jQuery.noConflict();
</script>
That way jQuery won't step on Prototype's toes. instead of calling jQuery with a $ you'd use $j for example:
$j('#sidebar').hide();
I hope that helps... if indeed that's what you were asking.
I found that jrails was acting strange for me a few weeks ago. I discovered that the gem version solved my problems. Try installing it as a gem (if you're currently running it as a plugin) and see what happens.

Resources