How can I apply the YUI security vulnerability patch on my deployed application using Orbeon Forms?

Question

Yahoo! released a security patch for all the applications using YUI. As Orbeon Forms uses YUI, how can I apply this patch on the version of Orbeon Forms that I am using?

Answer 1

First, you are safe and don't need to patch Orbeon Forms if you are using a version of Orbeon Forms released on or after October 25, 2010 (the day the security vulnerability and patch was announced).

If you are using an earlier build:

1. Unzip the file WEB-INF/lib/orbeon-resources-public.jar in a temporary directory.
2. In that directory, open ops/yui/yahoo/yahoo.js. Towards the top of the file, you'll see a version number (e.g. 2.6.0). This tells you what version of YUI your build of Orbeon Forms uses.
3. From the YUI page about this security vulnerability, download the patches for the version of YUI used by your build of Orbeon Forms.
4. Apply the patches by replacing the swf files in the temporary directory by those in the patches you downloaded. The YUI file are located under ops/yui in your temporary directory.
5. Just in case, make a copy of the WEB-INF/lib/orbeon-resources-public.jar in your Orbeon Forms build.
6. Zip the content of your temporary directory into a file called orbeon-resources-public.jar and move it to WEB-INF/lib in your Orbeon Forms build, replacing the existing copy of that file with the version you created.