Plan for Colorbox 8.x-1.8

what's the status here? Is this module dead? The notice on the home page is concerning.

I suspect there might be a new release soon.

Oh wow, that's surprising and hopeful news @DamienMcKenna. Do you suspect said release would address the security concerns that have flagged this module as unsupported?

Many thanks to everyone working on it!

This is great to hear, it would be a shame to lose this module with 200k+ users :) Any info on when?

Following - I'd like to continue to use this module for sure.

Following - I am grateful for this module!

I use this module a lot. Happy to help test

It's not clear whether the security issue affects the D7 version of the module. Can I find out?

As this is a highly used module, I would hope someone would be quick on this and able to update the security concerns that are being flagged for it. I for one use this module in every site I've created. Hoping for a quick turnaround.

@hughworm

I'm guessing it is but there's no real information. I'm getting an UNSUPPORTED module warning from a number of my D7 sites, but not seeing anything on the /update page. I'm guessing that means that ColorBox is affected but for some reason isn't populating when running the look for updates script.

@hugworm, @droddis I'm getting the unsupported warning across all my D9 sites. I don't think the security team distinguishes between versions when they mark a module unsupported. Instead they do that based on a lack of response from maintainers for a security issue affecting the module. Most sites running colorbox are still on D7 but it's not clear what the vulnerability is or which piece of software needs an update.

And it isn't clear that this problem or those listed as children here have anything to do with the security issue. Probably not, I would guess, from the process described at the page below.

See "what happens if I don't respond?" here: https://www.drupal.org/drupal-security-team/contacted-by-the-security-team-now-what

There's a team of 5 maintainers. I wonder if we could have a statement from one of them?

Sent on twitter "@Sam_152 @NesleePinto27 @josephwheaton I see you're maintainers of the Colorbox module which has been given "unsupported" status by the security team. I'd love to know whether you plan an immenent Drupal 7 release to fix this?"

Following

As a reminder - you can just click the "follow" link on the right side of the page to start receiving updates on an issue, you don't need to post a comment.

glad to see some other dedicated users jump on this issue, hopefully we gain some traction soon. I too am happy to test!

Issue #3260722: Offer to co-maintain Colorbox has been opened. The reporter stated they are mainly interested in the D7 version so someone interested in co-maintaining with a focus on D8+ might want to connect there.

Unsupported: 1.7.
I am also interested in 8.x-1.8.

I am also interested in the D9 version. If there is a security issue facing both 7 & 9 versions, is it possibly the same issue?

+1 For Drupal 9 version

Does anybody know what the security problem is that caused this to happen? If we knew what the problem is, maybe more of us would jump in to try to fix it.

@droddis See #3097138: Unsupported modules don't show in Update Manager

It happens when a module is unsupported but there is no replacement to update to.

This link to #3097138 is for Drupal 7. We are talking about Drupal 9.

Droddis was talking about D7. That's why I pinged him.

We all should talk about a new Drupal 9 version.

There are 3 times as many users of Colorbox for Drupal 7 as there are the 8.x branch. So both versions need maintenance.

We have 5 maintainers. Somebody should mail them.

I nominate drupalfan2 for emailing the 5 maintainers!

it would be great if both the D7 and D8/9 versions were addressed.

That said, while I realize there are more D7 version users, D7 itself is end-of-life in 10 months, while D9 isn't end-of-life for another 22 months.

I am also interested in the D9 version.
I have tried on both the D9 and the D7 and I get the same warning: "Not supported! Error
Colorbox 8.x-1.7 Project not supported: This project is no longer supported, and is no longer available for download. Disabling everything included by this project is strongly recommended! Includes: Colorbox "
I ask someone more experienced if I should disable Colorbox, waiting for news, or leave it active? What are the risks? Thanks Andre

Hello dear team,

It's good to have both versions (7 & 9 &...) and I hope that the end-of-life of drupal 7 will be extended longer.

Thank you very much and thanks drupal team.

Need a patch for 9.3, too.

I contacted Neslee (https://www.drupal.org/u/neslee-canil-pinto)

and sent him 2 messages (drupal profile contact form, and on his website).

So please contact the other maintainers now.
Thank you.

One of the original maintainers here, I stoped using Drupal a few years ago and handed over all my modules.

Okay, do you know who the new active maintainer is?

@drupalfan2, respectfully, there seems to be something about "unsupported module" that you are missing. Former maintainers who have moved on for whatever reasons owe you no explanation. As mentioned in one of my earlier comments, the community process does seem to be working - potential maintainers seem to be working with the security team to become maintainers. That, and getting the security issue fixed, which probably has nothing to do with this issue, may take a bit of time.

@frjo, thanks for you contributions to a module that is clearly still appreciated by many in the Drupal community.

Is it possible to know the issue's details that make the project not yet supported? Thanks

Is it possible to know the issue's details that make the project not yet supported?

Per the security team's processes - no, we wait at least 30 days before allowing the details to be made public in order to give time for new prospective maintainers to take on the responsibility and fix it.

Colorbox is a somewhat high profile module, please be patient while the process is running its course.

>> we wait at least 30 days before allowing the details to be made public

Why?

>> we wait at least 30 days before allowing the details to be made public

> Why?

We don't want people knowing what the exploit is and learning how to hack sites using it before there's a fix available.

But the maintainer or future maintainer should know what the expoit is, otherwise they can not decide if they are able to help or not.

It sounds like potential new maintainers are in contact with core/security folks to discuss and manage a handoff. I could be wrong, but thats what #37 and the other issue seem to suggest.

Adjusting issue summary for release notes, and adding helpful reminder for folks to keep this issue on topic.

But the maintainer or future maintainer should know what the expoit is, otherwise they can not decide if they are able to help or not.

To expand on this, this refers to a public disclosure, not a disclosure to module maintainers. Thanks for the feedback, but let's keep this issue on track with issue completion for a new release.

Attention - Attention - Attention

217,583 sites are using the Colorbox module.
217,583 sites are at risk of being hacked.

None of the 217 thousend site owners or webmasters know how big the problem is an how vulnerable there data is because they continue to use the colorbox module.
But their sites might be hacked.

Every effort should be made to close the security issue as soon as possible and without waiting.

I 100% agree with #45. 217,583 is quite a number.

I understand how open source projects work and that no one is really to blame or to be expected to fix this, but on the other hand, this is quite bad for Drupal and its name.

Hmm, no hard feelings on this, but there seem to be numerous people willing to help out to get this sorted out quickly.

When it comes to security concerns there is no time to lose to get these issues fixed. Security has always been a trademark for Drupal and there should be quick ways to fix projects or burry them completly when no fixing is foreseeable.

100% agree with #45 and #47.

We use drupal because it is reliable. Why wait for a maintainer ?

Thanks.

I decided to get rid of colorbox and switch to baguettebox. I don't trust a project where its maintainers have no time for the security of their users. It's quite easy and baguettebox has the same features. Look here: https://www.drupal.org/node/266126

We only can hope and wait for a fix. But are there any alternative solutions to put node content into lightboxes?

I tried baguette.js and magnific popup - both are working on node content pages as formatter, but when I use them on views generated pages, the lightbox effect is not shown.

@Rikibu :
README says: To make it work with Views you should either set "Use field template" checkbox or manually add "baguettebox" class in View field style settings.

@ab_connor
ah, thanks... i need better glasses :-)
but maybe this one helps another user here to work around the colorbox issue...

baguettebox is a nice alternative to know about, but I came to Colorbox because Juicebox exhibited a similar issue as this one--basically vanishing maintainers and broke when core updated. Colorbox seems like the most popular lightbox module I'm aware of, so its probably worth keeping this one alive.

Good to know about baguette though, in case no traction is gained here.

I tried both baguette and magnific, I can't get any of them to work. Following installation instructions for both, magnific does get the library loaded but doesn't do anything when the formatter is selected. Baguette simply doesn't want to find the library at all (and yes I read the release notes about the folder name change, it didn't matter). Colorbox seems to just... work. So yea, I'll also post in the respective issue queues to get pointers on to how to install them, but on the other hand it would be nice to get colorbox back.

So I replaced colorbox with baguette as follows:

composer require 'drupal/baguettebox:^1.x-dev'
# Upload the https://github.com/feimosi/baguetteBox.js "dist" folder into "/libraries/baguettebox.js/dist"
# In a view, add the "field html" css class "baguettebox"
# In a view, be sure to enable "add buttons" in the baguettebox options in the field to get a gallery to work

Just in case someone else wants to get rid of colorbox until there is a stable D9 branch.

Folks - for replacement module discussion, please use #3261738: Alternative Colorbox modules. This issue is intended for the next stable release discussion and planning.

Thanks @Webbeh

Is there any update or predicted time for an update as to whether new maintainers have been assigned and/or if the ball is moving forward? I suspect most people here don't want to jump ship to a new module, and regular updates from people in the know would be helpful to assuage doubts and provide clarity.

I just want to say thanks thanks thanks to the past maintainers, the future ones and the security team.
I can understand people being nervous, but, please, respect the generous work they have given to us.
And we all can, if we don't have the knowledge, donate money to make this solved sooner.
Have a good day! :)

Hi all - @paulmckibben from the Drupal Slack posted:

I haven't had time to read this entire thread, but I am now a maintainer of the colorbox module. We have work in progress on the outstanding security issues and hope to put out a new release very soon.

Hi all, I am a new maintainer. I, along with a few others, are actively working on a fix for several outstanding security issues in both the 8.x and 7.x versions of colorbox. We are very close to a release, and a return to "supported" status, for both. Please hang tight. Thanks!

Nice, thank you @paulmckibben and team for your work on the module :)

@paulmckibben
thanks for giving the colorbox module a secure future :-)
great news.

Thank you @paulmckibben.

Thanks @paulmckibben

This is great. Thanks @paulmckibben

Thanks @paulmckibben :)

Thanks @paulmckibben. Good news.

thanks @paulmckibben and everyone else working on it, great work!

The 8.x-1.8 release is out. All known security issues are fixed. However, security coverage will not be restored until a thorough audit of the codebase for both 7.x and 8.x can be completed. Thanks!

Putting this issue in "Needs Review" state, with the intent to close it in the next few days pending any other feedback.

Thank you @paulmckibben, really appreciated!

thanks @paulmckibben

I have just deployed 1.8 and it works fine for me. I am not sure if there is anything I should specifically be testing other than the default functionality (if there is some security testing that needs to be done).

Let us know if there is specific testing that needs to be done.

EDIT: I'm on core 9.3.4

Spectacular news @paulmckibben! Thank you. I have also tested basic functionality on 1.8 (and with core 9.3.4 – just out), and it's working fine.

Perfect @paulmckibben, I tested it on D 9.3.3 it is ok. Thank you all

Tested with core 9.3.4. Works. The code changes for 8.x-1.8 look fine to me. Thanks!

Many thanks to paulmckibben for the takeover.
1.8 with Drupal 9.3.4 looks good. Did not see another issue after a quick look.

Thank you.

🙏 Thank you @paulmckibben !

Thank you @paulmckibben,
Yes, I have tested with 9.3.4 with V1.8. Working fine.

Per #69 (and incorrect status update in #72).

Thanks all.

However.... I just deployed the update to a D7 site and unfortunately it broke a video_embed_field field popup, so I have reverted.
It seems to be caused by these new lines in colorbox.js:

        // Only images are supported for the "colorbox" class.
        // The "photo" setting forces the href attribute to be treated as an image.
        var extendParams = {
          photo: true
        };

Commenting out the "photo: true" enabled wef videos to load.

Should I raise a new issue?

Per #80, create a new issue for that bug.

Fine. Thank you @paulmckibben and thanks Drupal team.

tested 1.8 and working beautifully. Thanks, maintainers!

looks like my Available Updates Report page is no longer warning me about Colorbox 🎉🎉🎉

I see a full code audit is required before the module is officially given the green light by the security team, but we are all really glad to see this moving (so incredibly quickly) in the right direction.

Thanks again everyone.

@hughworm, re:

I just deployed the update to a D7 site and unfortunately it broke a video_embed_field field popup

I tried this myself, and the bug appears to be in the video_embed_field module. It is creating an incorrect link, adding both the "colorbox-load" and "colorbox" classes. It should only add the "colorbox-load" class.

I filed an issue against the video_embed_field module, and there's a patch there: #3262515: Incorrect colorbox class on thumbnail with colorbox.

I updated to the version for Drupal 9.3. I'm using it with a view that loads content fields from a custom content type, using replacement tokens on the "Custom Caption" for the popup. It seems as if the content in the popup is now fed as raw text, so any HTML tags in the content get printed out exactly on the popup (strong tags show up around words, can't put line breaks or have different parts of the output as CSS targeted elements). It all just fills the cBoxTitle div without any formatting.

@paulmckibben,

Thanks for jumping in and saving the day so quickly for the "measly"😉 214,753 sites reported using this module!

I have been frantically looking for alternatives with a keen eye on the Slick Carousel and its suite of Slideshows etc. and have been in communication with the very helpful Gaus Surahman (gausarts) who has provided me with very useful alternatives should they become necessary!

I just updated a Drupal 8.9.20 | Open Social (social 10.3.8) with near future plans to bring it into Drupal ^9 | Open Social ^11.

In the process of that update it appears that Colorbox 8.x-1.8 was in fact installed to replace version 8.x-1.2.

To be clear, Are we now safe from all vulnerabilities that caused the recent Security Alerts (and depreciation), so that we may safely continue our configurations?

And is it only a matter of a review and stamp of approval by the Drupal Security Team that would clear any warnings etc.?

working for me on latest 9.3.5 as well.

I am using it in a view.

Thank you to those who worked on this.

Unfortunately links in custom captions (including those generated by tokens from link fields) no longer work as html links.

@bas123, the current Colorbox releases are safe from all known vulnerabilities. We are thoroughly reviewing both the 7.x and 8.x branches and are also trying to address backward compatibility issues. You should no longer be getting a warning in the update manager of your site, but please understand that the Colorbox module currently does not have coverage from the security team. We'll have security coverage again once we reach a point that we (the maintainers and the security team) are satisfied that both branches are adequately hardened.

Everyone: if you encounter a backward compatibility issue, please write up a new issue rather than comment here. It will be easier to track that way. Thank you.

Updated Colorbox on 9.3.5 and it works perfectly. Thanks for the quick update team!

@paulmckibben,

Thanks for that, and again great work!

I will be working on now updating my Open Social Sites to version 11 which runs on Drupal 9.2x (Currently), and trust that the Colorbox's that I use for both images and video in user profiles will not be among the possible stumbling blocks to that end.

In the meantime, I have been in communication with Gaus Surahman (gausarts) as I mentioned above, and believe I may look to transition once the upgrades are complete from colorbox to Slick Lightbox and/or Carousel for these purposes.

Have you (or anyone else here) made such a transition? The primary reason for me would be what appears to be a greater range of display options and captioning styles, plus I believe the general user is now more accustomed to seeing and using this type of slider due to it's popularity across the web.

Thoughts welcome!

Colorbox is an important part of a website that I maintain, but we are leaving it disabled until security coverage is reinstated. Are there any estimates of when the audit might be complete? Is there somewhere that we can watch for updates on that?

HUGE thank you to the new maintainers and also to the security team for the great work being done here.

@c.altosax I'm trying to get a better idea from the security team as to what it will take to restore security coverage. I'm sorry to say, I don't have a timeframe, but hopefully soon.

@paulmckibben Thank you for the effort you put in to restore security coverage for Colorbox!

Also from me, thank you very much @paulmckibben.

Given 1.9 was released earlier this week and the module has security coverage again, it seems this is fixed and this issue is no longer relevant. Thanks Paul!

amazing, well done to everyone involved :)

So, now someone has undone a feature that was reinstalled a few months back!

I do not know if anyone here has any feedback on this, but I'm taking a shot!

This involves the use of Colorbox Navigation Buttons when used with Blazy Video Embed Field using Colorbox as Media Switcher

See: https://www.drupal.org/project/colorbox/issues/3277985

@bas123: Please open a new issue for that regression.

DamienMcKenna,

Did I not do that with: https://www.drupal.org/project/colorbox/issues/3277985

Or do I need to do this somewhere else?

Ok, that's fine, let's continue the discussion over in that issue.