jQuery 1.11.1 is a minor release following the 1.11.0 version of the popular JavaScript library designed to simplify HTML DOM manipulation, event handling, and AJAX interactions. While carrying the same core description as a "JavaScript library for DOM operations," the changes between these versions primarily involve updates to the development environment, suggesting a focus on refinement and build process improvements rather than significant feature additions directly impacting end-users.
A key difference lies in the devDependencies. jQuery 1.11.1 sees upgraded versions of tools like grunt-cli, requirejs, grunt-bowercopy, load-grunt-tasks, grunt-contrib-jshint, and grunt-contrib-uglify. The introduction of commitplease, a tool for enforcing proper commit message formatting, and grunt-git-authors, further emphasizes enhancements in the development workflow. The removal of development dependencies like shelljs and archiver from the 1.11.0 version points to a refactoring of the build process.
For developers using jQuery, this update implies improved stability and potentially more efficient build processes, which indirectly benefit by ensuring the library is built and tested with the latest tools. However, the core functionality and API remain consistent, ensuring a seamless transition for existing projects using jQuery 1.11.0. Therefore, upgrading to 1.11.1 is recommended for benefiting from these improvements, without necessitating code modifications. The releaseDate also illustrates the more recent release of 1.11.1, benefiting from any bug fixes or enhancements made after the 1.11.0 release.
All the vulnerabilities related to the version 1.11.1 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.