Fix invalid self-closing <span /> tag incompatible with jQuery 3.5

bgrins / spectrum

The No Hassle JavaScript Colorpicker

https://bgrins.github.io/spectrum/

MIT License

2.32k stars 589 forks source link

Fix invalid self-closing <span /> tag incompatible with jQuery 3.5 #556

Closed andersk closed 4 years ago

andersk commented 4 years ago

To close a cross-site scripting vulnerability, jQuery 3.5.0 disabled an insecure htmlPrefilter that previously fixed up invalid self-closing tags. Fix our HTML not to rely on that.

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Fixes #558.

nguyenj commented 4 years ago

@bgrins any chance we can get this merged soon? The jQuery 3.5 patch release is a security patch and it exposed a regression in this plugin.

thenitai commented 4 years ago

We've only just updated to jQuery 3.5.1 and I was searching for hours for a solution. Thanks for the fix.

bgrins commented 4 years ago

Thanks for the patch, and sorry for the delay. I'll merge it now and tag a release later.

bgrins commented 4 years ago

1.8.1 has been tagged and published. I've also updated the docs page at https://bgrins.github.io/spectrum/ to use jQuery 3.5.1.