jQuery 2.1.4 is a minor version update to the widely used JavaScript library, following version 2.1.3. Both versions share identical core functionality, providing developers with a robust set of tools for DOM manipulation, event handling, animation, and AJAX interactions. The description and dependencies for both releases are exactly the same, indicating a focus on stability and bug fixes rather than the introduction of new features in the 2.1.4 release. Key development dependencies such as Grunt, JSDOM, and RequireJS remain consistent, highlighting a stable development environment.
The significant difference lies in the release date, with version 2.1.4 published on April 28, 2015, a few months after version 2.1.3, released on December 18, 2014. This suggests that the newer version likely incorporates bug fixes, performance improvements, and minor adjustments that address issues discovered in the earlier iteration. Developers considering an upgrade should prioritize jQuery 2.1.4 to benefit from these refined enhancements and ensure a more stable and reliable experience. While the feature set remains the same, the updated codebase offers potentially improved efficiency and reduced risk of encountering known bugs or vulnerabilities. Examining the jQuery change logs associated with these versions on the official GitHub repository is highly recommended for specific details on the addressed issues and improvements.
All the vulnerabilities related to the version 2.1.4 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.