Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/3.5.0)
[Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0)
See the blog post:
and the upgrade guide:
**NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details.
Renovate configuration
:date: Schedule: "" in timezone Europe/Moscow.
:vertical_traffic_light: Automerge: Enabled.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.4.1->3.5.0GitHub Vulnerability Alerts
CVE-2020-11022
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2020-11023
Impact
Passing HTML containing
<option>elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e..html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERYoption to sanitize the HTML string before passing it to a jQuery method.References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/3.5.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) See the blog post:Renovate configuration
:date: Schedule: "" in timezone Europe/Moscow.
:vertical_traffic_light: Automerge: Enabled.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.