Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery (jquery)
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released!
[Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0)
See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/
**NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details.
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.4.1
->3.5.0
GitHub Vulnerability Alerts
CVE-2020-11023
Impact
Passing HTML containing
<option>
elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e..html()
,.append()
, and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERY
option to sanitize the HTML string before passing it to a jQuery method.References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery (jquery)
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released! [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/ **NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details.Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Thanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are deployed in: