jQuery version 1.6.2 arrived on July 6, 2011, succeeding version 1.5.1, released a few months prior on March 19, 2011. Both versions carry the familiar tagline "Write Less, Do More, JavaScript Library," highlighting jQuery's core philosophy of simplifying DOM manipulation, event handling, and AJAX interactions. A significant distinction lies in their dependencies. Version 1.6.2 requires "jsdom" with a minimum version of ">=0.2.0," while version 1.5.1 relies on "jsdom" exactly at version "=0.1.20." Both consistently utilize "htmlparser" at version ">= 1.7.3."
This difference in 'jsdom' dependency is crucial. 'jsdom' provides a JavaScript implementation of the DOM and HTML standards, enabling jQuery to run in server-side environments like Node.js. The update in 1.6.2 suggests enhanced compatibility or reliance on newer 'jsdom' features, potentially offering developers server-side rendering or testing capabilities not fully realized in 1.5.1. For developers targeting server-side JavaScript environments, jQuery 1.6.2 might offer a smoother experience due to its more flexible jsdom dependency. If server-side compatibility is not a concern and you use version 1.5.1 already, upgrading only to receive bug fixes is sensible. As usual, it is adviced to upgrade to the latest version as soon as possible, as the difference is from more than 10 years ago and a lot of security issues could be found.
All the vulnerabilities related to the version 1.6.2 of the package
jQuery vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Cross-Site Scripting in jquery
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.
$("#log").html(
$("element[attribute='<img src=\"x\" onerror=\"alert(1)\" />']").html()
);
Update to version 1.9.0 or later.
Cross-Site Scripting in jquery
Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.
Upgrade to version 1.9.0 or later.
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.