jQuery version 1.6.3 represents a minor update to the widely used JavaScript library, succeeding version 1.6.2. Both versions share the same core functionality and maintain the "Write Less, Do More" philosophy, aiming to simplify DOM manipulation, event handling, and AJAX interactions. Developers familiar with jQuery 1.6.2 will find a seamless transition to 1.6.3.
The dependency structure remains consistent between the two versions, relying on jsdom (version 0.2.0 or greater) and htmlparser (version 1.7.3 or greater). Important to backend JavaScript developers using Node.js, both versions are packaged for use in Node.js environments which means that the client-side code can be executed on the server side.
The key difference lies in the release date and potential bug fixes or performance improvements incorporated within version 1.6.3. Released on September 12, 2011, version 1.6.3 arrived roughly two months after version 1.6.2, which was released on July 6, 2011. While the specific details of the changes aren't explicitly listed, developers should consider this update for enhanced stability and refined performance, especially in scenarios where they encountered issues in the older release. The author, John Resig, remains consistent across both versions. The tarball URL in the "dist" field also changes, reflecting the unique archival package for each specific version. Developers can verify that they are installing the correct library version using the name and version identifiers.
All the vulnerabilities related to the version 1.6.3 of the package
Cross-Site Scripting in jquery
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.
$("#log").html(
$("element[attribute='<img src=\"x\" onerror=\"alert(1)\" />']").html()
);
Update to version 1.9.0 or later.
Cross-Site Scripting in jquery
Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.
Upgrade to version 1.9.0 or later.
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.