jQuery 2.1.2 represents a minor version update from its predecessor, jQuery 2.1.1, within the venerable JavaScript library designed to simplify DOM manipulation, event handling, and AJAX interactions. While both versions share a core foundation offering streamlined cross-browser compatibility and a rich set of functionalities, discerning developers will note key differences primarily residing in bug fixes and subtle refinements. Both rely on almost the same suite of developer dependencies, employing tools like Grunt for build automation, gzip-js for compression, and various Grunt plugins (jshint, uglify, etc.) for code quality and optimization.
The shift from 2.1.1 to 2.1.2 suggests an emphasis on stability and incremental improvements rather than groundbreaking new features. Developers already using jQuery 2.1.1 should find the upgrade to 2.1.2 relatively seamless, expecting enhanced reliability and potentially improved performance in specific scenarios due to addressed bugs. The consistent set of devDependencies implies a continued commitment to maintaining code quality and build processes established in the previous version. Careful examination of the commit history between the two versions on the linked GitHub repository would reveal the precise nature of resolved issues, valuable intel for developers seeking optimal performance and stability in their web applications. The release of 2.1.2 five months after 2.1.1 signals an active maintenance track.
All the vulnerabilities related to the version 2.1.2 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.