Skip to content

Potential XSS vulnerability when appending HTML containing option elements

timmywil published GHSA-jpcq-cgw6-v4j6 Apr 29, 2020
Severity
moderate
Packages
jquery (npm)
Affected versions
>=1.0.3 <3.5.0
Patched versions
3.5.0
CVE identifier
CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

You can’t perform that action at this time.