jQuery 1.12.2 is a minor release in the 1.12.x series of the popular JavaScript library designed to simplify HTML DOM manipulation, event handling, and animation. Compared to version 1.12.1, the core functionalities remain consistent, focusing on providing a stable and cross-browser compatible experience for developers. Both versions share the same set of development dependencies, indicating a continued commitment to code quality, testing, and build processes. Developers can expect similar performance and feature sets when upgrading from 1.12.1 to 1.12.2.
The key difference lies in bug fixes and potential minor refinements that improve overall stability and address edge-case scenarios. While the specifics of these changes aren't explicitly detailed in this data, such patch releases typically involve addressing reported issues from the community and improving compatibility across different browsers and environments. Therefore, upgrading to 1.12.2 is advised to benefit from these accumulated fixes and ensure a more robust jQuery integration. The 'releaseDate' field indicates 1.12.2 was released on March 17, 2016, whereas 1.12.1 was released on February 22, 2016, highlighting the relatively short timeframe. This means upgrading to the latest version delivers incremental improvements and refinements on a known, stable base with all functionalities remaining identical.
All the vulnerabilities related to the version 1.12.2 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.