jQuery 1.11.2 represents a refinement over its immediate predecessor, jQuery 1.11.1, both being robust and widely used JavaScript libraries focused on simplifying DOM manipulation, event handling, and AJAX interactions. While both versions share a core commitment to ease of use and broad browser compatibility, subtle differences exist, primarily in the development tooling. A key difference is the updated commitplease version, moving from 1.7.0 in 1.11.1 to 2.0.0 in 1.11.2, suggesting potential enhancements in the commit workflow for contributors.
The core functionalities remain consistent, enabling developers to write less code to achieve complex tasks. Developers benefit from selector support for efficiently targeting HTML elements, methods for modifying CSS and HTML attributes for creating dynamic and responsive web pages and effects. Both versions are also effective in managing events and asynchronous requests.
For developers choosing between the two, the changes are minimal enough that the decision hinges more on wider project compatibility and personal preference. Both versions are mature and stable choices for projects needing reliable DOM manipulation. Because of its later release date, version 1.11.2 might incorporate the minor bug fixes addressed after the 1.11.1 release. So choosing the newer version can potentially offer a slightly more polished development experience due to continuous improvements and refinements within the jQuery project.
All the vulnerabilities related to the version 1.11.2 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.