Security release of YUI JavaScript framework protects against JavaScript and Flash injection

It’s been an extremely busy week or so in the world of JavaScript. Last Monday the first release of the jQuery Mobile project, aimed at helping developers build great cross-device mobile websites, was released. This was immediately followed by a new version of the jQuery framework the following day, hosting a range of performance increases. Version 1.1 of the Knockout data binding framework appeared on Thursday; the new version of HP’s webOS was due to land on Friday with the new ability to build services with node.js; and Adobe AIR 2.5 turned up on Monday with a long list of new supported devices.

Now, a new version of the YUI, Yahoo’s JavaScript library, has been released. Version 2.8.2 is an update for the 2.8 branch of the library with an important bug fix. YUI versions between 2.4.0 and 2.8.1 are all vulnerable to a JavaScript injection attack against the YUI 2 Flash Component Infrastructure, meaning the server hosting the SWF files used here could be exploited.

It is highly recommended that users of the affected versions upgrade immediately. Developers using the jQuery or Google provided CDNs for hosting their code need not be concerned as the fix is already deployed there. More information is available in the security bulletin.

You might also like...



Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone” - Bjarne Stroustrup