search

basiljs / basiljs.github.io

W.I.P. Basil.js reference build with jekyll and documentation.js
https://basiljs2.netlify.app
Other
5 stars 0 forks source link

chore(deps): update dependency jquery to v3.5.0 [security] - autoclosed #208

Closed renovate[bot] closed 4 years ago

renovate[bot] commented 4 years ago

This PR contains the following updates:

Package Type Update Change
jquery (source) devDependencies minor 3.4.1 -> 3.5.0

GitHub Vulnerability Alerts

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
    return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory:

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory:

Release Notes

jquery/jquery ### [`v3.5.0`](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0)

Renovate configuration

:date: Schedule: "" (UTC).

:vertical_traffic_light: Automerge: Enabled.

:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

:no_bell: Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.

basilbot commented 4 years ago

Deploy preview for basiljs2 ready!

Built with commit 86839231e3ce59b0910095b191381c54f61b91f8

https://deploy-preview-208--basiljs2.netlify.app