Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities. jQuery 3.5 also adds missing methods for the positional selectors :even and :odd in preparation for the complete removal of positional selectors in the next major jQuery release (jQuery 4).
Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. Kinugawa explains that jQuery’s html() function calls the htmlPrefilter() method which uses a regexp replacing XHTML-like tags with versions that work in HTML:
This essentially converts a self-closing tag into a full-blown tag, for example,
<blah/> <!-- converted to --> <blah></blah>This can be really powerful.
Consider
<style><style/>Elon; wheninnerHTMLis used to insert this into the DOM, the resulting DOM Tree looks like this:<style> <style/>Elon </style>But with jquery’s
html(), it’s a whole different story. When we try the same input withhtml(), we see the following:<style> <style> </style> ElonThe self-closing
<style/>is replaced with<style></style>, which makes the second<style>tag to be treated as the contents of the first<style>tag, but look what happened to theElontext; it’s outside the<style>tag and out open in the HTML context. Ergo, XSS.
With the fix in jQuery 3.5, the jQuery.htmlPrefilter is now the identity function and code which relies on the previous behavior may break. The jQuery team recommends using jQuery migrate plugin to revert to the previous behavior:
If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old
jQuery.htmlPrefilter. After including the plugin you can calljQuery.UNSAFE_restoreLegacyHtmlPrefilter()and jQuery will again ensure XHTML-compliant closing tags.
While jQuery is a mature library, its presence is also very pervasive in websites. The Snyk open source security platform estimated in its State of JavaScript frameworks security report 2019 that 84% of all websites may be impacted by jQuery XSS vulnerabilities. jQuery can be found in 79% of the top 5,000 URLs from Alexa.
All positional selectors (like :first or :last) will be removed in jQuery 4, for maintenance and optimization reasons. Most of the positional selectors had alternative methods with the exception of :even and :odd. jQuery 3.5 adds the missing methods. $("div:even"); can for instance be written as $("div").even();
jQuery 3.5 deprecates jQuery.trim in favor of JavaScript’s own String.prototype.trim(). jQuery 3.5 comes with additional bug fixes, deprecations and changes whose details are available in the release note (including the full detailed change log). Developers seeking to upgrade should consult the 3.5 Upgrade Guide or the 3.0 Upgrade Guide if they had not upgraded previously to jQuery 3. In all cases, the jQuery Migrate plugin supports developers in identifying compatibility issues in their code.
jQuery 3.5.0 is available on both CDNs and npm (npm install jquery@3.5.0).