Hillel Coren Hillel Coren - 5 months ago 8
jQuery Question

Is jQuery 1.x vulnerable to "non-explicit data type cross-site scripting"?

We recently received the following email from https://nospam_srcclr.com (remove nospam_ for the real URL).


Thank you for your prompt reply. We have identified [our project] as being vulnerable to a cross-site scripting vulnerability through JQuery.

https://nospam_srcclr.com/security/cross-site-scripting-xss-through-execution-non-explicit-data-type/javascript/sid-2250/fix

A copy of the JQuery version 1.11.3 is included in the project here. JQuery is vulnerable to cross-site scripting through execution of non-explicit data type. The vulnerable section of code used in [our project] is seen here.

To mitigate this issue, we recommend upgrading JQuery to 3.0.0.


Is jQuery 1.x actually unsafe to use?

Answer

If you not fetch any javascript from another untrusted domain by ajax, it still safe.

If you did, you can manually apply this simple patch too your current jquery:

https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

Comments