refactor: CKEditor webjar swap + drop resource-server-content overlay#554
Merged
bjagg merged 2 commits intoMay 13, 2026
Merged
Conversation
Contributor
|
This is dependent upon resource-server serving up the webjar of ckeditor4, which it does not yet. See uPortal-Project/resource-server#352 (comment) |
bjagg
changed the title
Member
Author
|
@Naenyn thanks for the catch. Pushed a commit to uPortal-Project/resource-server#352 adding |
Member
Author
|
@Naenyn following up — uPortal-Project/resource-server#352 is merged, so the |
…p <rs:compressJs> Problem: configureContent.jsp loaded CKEditor from the legacy /ResourceServingWebapp/rs/ckeditor/4.3.2 path. CKEditor 4.3.2 is from 2014 and has many subsequent XSS CVEs (CVE-2018-9861, CVE-2019-10742, et al — patched through 4.22.x; CVE patches in 4.23+ require a paid LTS license, which is why we land at 4.22.1). The page also wrapped its initialization JS in <rs:compressJs>, a no-op tag the upstream resource-server-utils marked @deprecated. Goal: pull CKEditor 4 from the modern overlay's webjar (org.webjars.npm:ckeditor4:4.22.1) and drop the deprecated wrapper. Changes: - src/main/webapp/WEB-INF/jsp/cms/configureContent.jsp: replace <rs:resourceURL value='/rs/ckeditor/4.3.2/ckeditor.js'/> with the static /resource-server/webjars/ckeditor4/ckeditor.js path; remove the <rs:compressJs>...</rs:compressJs> wrapper. The init body (CKEDITOR.replace + toolbarGroups config) is unchanged. Notes: 4.22.1 emits a single console-error nag about the LTS upgrade — known noise, filtered in upstream visual smoke. Long-term plan documented in the workspace ledger: replace CKEditor + the bundled TinyMCE in AnnouncementsPortlet with Quill (BSD-3, Apache-compatible, HTML-native) once the editor migration is scheduled.
… dead libs) Problem: SimpleContentPortlet declared a runtime <dependency> on the resource-server-content WAR overlay plus a maven-war-plugin <overlay> config that pulled in rs/jquery/1.10.2/, rs/jquery/1.11.0/, rs/jqueryui/1.10.3/, and rs/ckeditor/4.3.2/. The overlay also unpacked the entire rs/* tree of legacy libraries (lodash 4.17.4 with 4 known CVEs, underscore, backbone, modernizr, normalize, plus jquery-plugins) into the WAR even though no JSP/JS in the source referenced any of them. configureContent.jsp and ckeditor-callback.jsp were already swapped over to /resource-server/webjars/* paths in the prior commit on this branch (d368c89), so nothing in the WAR's own JSPs uses any of the overlay-extracted directories. Goal: drop the entire overlay (dep + maven-war-plugin extract). The modern resource-server overlay deployed by uPortal-start serves jquery, jqueryui, and ckeditor4 via webjars at /resource-server/... Changes: - pom.xml: drop the runtime <dependency> on resource-server-content; drop the maven-war-plugin <overlay> config that extracted the legacy rs/jquery, rs/jqueryui, and rs/ckeditor directories. resource-server-utils (type=jar, taglibs in use elsewhere) is unchanged. Notes: paired with d368c89 which did the source-side path swap. Verified `grep -rE 'rs/(jquery|jqueryui|ckeditor)|/SimpleContentPortlet/rs/' src/` returns no matches. WAR shrinks meaningfully (every consumer pulls jquery/jqueryui/ckeditor from /resource-server/webjars/ now).
bjagg
force-pushed
the
chore/resource-server-consolidation
branch
from
5016a82 to
f8a34fc
Compare
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two commits, both part of the broader resource-server consolidation:
d368c89(prior) — swap CKEditor 4.3.2 (legacy/ResourceServingWebapp/-served, multiple historical XSS CVEs) for the org.webjars.npm:ckeditor4:4.22.1 webjar via/resource-server/webjars/ckeditor4/...; drop dead<rs:compressJs>taglib wrappers.5016a82(new) — drop theresource-server-contentWAR overlay. The overlay was unpacking lodash 4.17.4 (4 CVEs), underscore, backbone, modernizr, normalize, and jquery-plugins into the WAR for nothing, plus an explicit maven-war-plugin extract of jquery/jqueryui/ckeditor — none of which any JSP/JS in the source references afterd368c89.Test plan
mvn clean install -DskipTestsbuilds (verified locally on Java 11)rs/directory (verified)/p/please-register/?pCm=config(or any SimpleContentPortlet config view), CKEditor mounts on the textarea — covered by uPortal-start'stests/ux/portlets/simple-content.spec.tsandtests/ux/smoke/visual-resource-server.spec.ts