BT

InfoQ Homepage News jQuery 3.5 Released, Fixes XSS Vulnerability

jQuery 3.5 Released, Fixes XSS Vulnerability

Bookmarks

Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities. jQuery 3.5 also adds missing methods for the positional selectors :even and :odd in preparation for the complete removal of positional selectors in the next major jQuery release (jQuery 4).

Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. Kinugawa explains that jQuery’s html() function calls the htmlPrefilter() method which uses a regexp replacing XHTML-like tags with versions that work in HTML:

This essentially converts a self-closing tag into a full-blown tag, for example,

<blah/>
<!-- converted to -->
<blah></blah>

This can be really powerful.

Consider <style><style/>Elon; when innerHTML is used to insert this into the DOM, the resulting DOM Tree looks like this:

<style>
   <style/>Elon
</style>

But with jquery’s html(), it’s a whole different story. When we try the same input with html(), we see the following:

<style>
   <style>
</style>
Elon

The self-closing <style/> is replaced with <style></style>, which makes the second <style> tag to be treated as the contents of the first <style> tag, but look what happened to the Elon text; it’s outside the <style> tag and out open in the HTML context. Ergo, XSS.

With the fix in jQuery 3.5, the jQuery.htmlPrefilter is now the identity function and code which relies on the previous behavior may break. The jQuery team recommends using jQuery migrate plugin to revert to the previous behavior:

If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.

While jQuery is a mature library, its presence is also very pervasive in websites. The Snyk open source security platform estimated in its State of JavaScript frameworks security report 2019 that 84% of all websites may be impacted by jQuery XSS vulnerabilities. jQuery can be found in 79% of the top 5,000 URLs from Alexa.

All positional selectors (like :first or :last) will be removed in jQuery 4, for maintenance and optimization reasons. Most of the positional selectors had alternative methods with the exception of :even and :odd. jQuery 3.5 adds the missing methods. $("div:even"); can for instance be written as $("div").even();

jQuery 3.5 deprecates jQuery.trim in favor of JavaScript’s own String.prototype.trim(). jQuery 3.5 comes with additional bug fixes, deprecations and changes whose details are available in the release note (including the full detailed change log). Developers seeking to upgrade should consult the 3.5 Upgrade Guide or the 3.0 Upgrade Guide if they had not upgraded previously to jQuery 3. In all cases, the jQuery Migrate plugin supports developers in identifying compatibility issues in their code.

jQuery 3.5.0 is available on both CDNs and npm (npm install jquery@3.5.0).

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.