jQuery with XSS, Testing and Secure Version
- Bug 9521 (CVE-2011-4969) - $("#
<img src=x onerror=...>") - Bug 11290 (CVE-2012-6708) - $("element[attribute='
<img src=x onerror=...>'") - issue 2432 (CVE-2015-9251) - 3rd party $.get() auto executes if content type is text/javascript
- issue 11974 (CVE-2015-9251) - parseHTML executes inline scripts like event handlers
- issue 4333 (CVE-2019-11358) - prototype pollution for $.extend()
- issue 4642 (CVE-2020-11022) - htmlPrefilter unwraps things it shouldn't
- issue 4647 (CVE-2020-11023/CVE-2020-23064) - select/option wrapping unwraps can cause XSS
- CVE-2020-7656 - XSS - The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >"
- 3.5.0,3.5.1
- 3.6.0,3.6.1,3.6.2,3.6.3
- 3.7.0,3.7.1