jQuery 1.11.0 brings a suite of updated development dependencies compared to the older 1.9.1, showcasing a commitment to modern build processes and code quality checks. Developers upgrading will notice a shift in tooling. The newer version embraces more recent versions of Grunt (from ~0.4.0 to 0.4.2), a task runner essential for automating repetitive development tasks like minification and testing. JSHint, for code linting, moves from ~0.1.1 to 0.7.2, suggesting stricter code quality enforcement.
Significantly, 1.11.0 incorporates several new development dependencies absent in 1.9.1. Tools like gzip-js indicate a focus on optimizing file sizes, while shelljs and archiver provide streamlined ways to work with shell commands and create archives respectively, potentially simplifying build and distribution processes. grunt-jsonlint, grunt-bowercopy, load-grunt-tasks, grunt-jscs-checker, and grunt-git-authors further illustrate this dedication to improved code quality, dependency management, and contribution tracking. The testswarm dependency gets a major version upgrade (0.2.2 to 1.1.0). While both handle the core JavaScript DOM manipulation that jQuery is known for, the newer version ships with enhanced developer tools improving build speed and code quality. Ultimately, jQuery 1.11.0 offers a more refined development workflow for contributors and a more robust build process than version 1.9.1. Despite the similar core functionalities, users of the library should note that this version has a different build system and development workflow.
All the vulnerabilities related to the version 1.11.0 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.