jQuery 3.2.0 and 3.1.1 are both versions of the popular JavaScript library designed to simplify DOM manipulation, event handling, and animation within web browsers. Focusing on the upgrade from 3.1.1 to 3.2.0, developers will find primarily incremental improvements and bug fixes rather than groundbreaking new features. Both versions share the same core functionalities, making them suitable for a wide range of web development tasks.
A key difference lies in the "author" field, where 3.2.0 lists "JS Foundation and other contributors," a subtle shift reflecting the project's governance. The more substantial changes occur in the underlying details, with potential refinements in performance and stability addressing minor issues identified in 3.1.1. While both leverage an identical suite of "devDependencies" for building, testing, and maintaining the library (including tools like grunt, eslint, and qunitjs), the specific adjustments made in version 3.2.0 aren't explicitly detailed in this data.
Developers considering an upgrade should prioritize testing their existing code against version 3.2.0 to ensure compatibility. Since jQuery aims for backward compatibility, most code written for 3.1.1 should function without modification. Version 3.2.0 is released on 2017-03-16 while version 3.1.1 released on 2016-09-22. Ultimately, the decision to upgrade hinges on the need for addressed bug fixes, the pursuit of minor performance enhancements, and the desire to stay current with the project's evolving codebase.
All the vulnerabilities related to the version 3.2.0 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.