GHSA-jpcq-cgw6-v4j6

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json
Aliases
Published
2020-04-29T22:19:14Z
Modified
2023-09-06T19:02:24.302670Z
Details

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

References

Affected packages

npm / jquery

Source Details

Package Name
jquery

Affected ranges

Type
SEMVER
Events
Introduced
1.0.3
Fixed
3.5.0

RubyGems / jquery-rails

Source Details

Package Name
jquery-rails

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.4.0

Affected versions

0.*

0.1.1
0.1.2
0.1.3
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7

1.*

1.0.rc
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19

2.*

2.0.1
2.0.2
2.0.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.3.0

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5

4.*

4.0.0.beta1
4.0.0.beta2
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5

NuGet / jQuery

Source Details

Package Name
jQuery

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.3
Fixed
3.5.0

Affected versions

1.*

1.4.1
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.1.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0
1.9.1
1.10.0
1.10.0.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4

2.*

2.0.0
2.0.1
2.0.1.1
2.0.2
2.0.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4

3.*

3.0.0
3.0.0.1
3.1.0
3.1.1
3.2.1
3.3.1
3.4.0
3.4.1