jQuery 2.1.0 and 1.12.4 both serve as JavaScript libraries streamlining DOM manipulation, but they cater to different development needs. Version 2.1.0 released in early 2014, intentionally dropped support for older versions of Internet Explorer (IE6, IE7, and IE8), resulting in a leaner and faster library for modern browsers. For developers targeting only contemporary browsers, 2.1.0 offers performance benefits due to the removal of legacy code. This version relies heavily on Grunt for build automation, employing tools like grunt-contrib-jshint for code linting and grunt-contrib-uglify for minification.
jQuery 1.12.4, the final release in the 1.x line, released in mid 2016, keeps compatibility with older browsers, including those legacy versions of Internet Explorer. If your project requires support for these older browsers, version 1.12.4 is the necessary choice. It boasts a more extensive suite of development dependencies, featuring tools like grunt-jscs for code style checking, grunt-babel for transpiling ES6 code, and jsdom for testing in a simulated DOM environment. While 1.12.4 provides broader browser support, it potentially comes with a slight performance overhead compared to 2.1.0 on modern browsers due to the inclusion of compatibility shims for older rendering engines. Each version offers the core jQuery functionality, but version selection depends heavily on the project's browser compatibility requirements.
All the vulnerabilities related to the version 2.1.0 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.