4

I am working on an enterprise project and we have a upcoming new release. The security team runs a security scan, in that vulnerability report there is one point that I am struggling with. The project uses jQuery 1.4.x and it causes a XSS vulnerability, namely this one. I need to upgrade jQuery but the latest version will cause a lot of problems. My question is there least version of jQuery that is striped from the XSS vulnerability?

Anders
  • 64,406
  • 24
  • 178
  • 215
Deniz Gökçe
  • 43
  • 1
  • 1
  • 4
  • 3
    I recently wrote [a blog post](https://www.sjoerdlangkemper.nl/2017/09/27/some-libraries-evaluate-remote-javascript/) about this. I think your best option is to disable the execution of JavaScript responses using `$.ajaxSetup({contents: {script: false}})`. – Sjoerd Jan 02 '18 at 14:49
  • You can also sanitize the input and/or patch the vulnerable JQuery yourself – Enos D'Andrea Apr 26 '18 at 17:01

1 Answers1

8

To get away from the reported issues, (which will show up via projects like retire JS), you'll need to use a JQuery version in the 3.x line. At least one of the commonly referenced issues (this one) required breaking changes and as such was never fixed in the 1.X stream.

The current latest version is 3.2.1 and I'm not aware of it having any disclosed XSS issues.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Can the JQuery version 2.x line be suffice for this situation because I need to avoid from major update? – Deniz Gökçe Jan 02 '18 at 13:14
  • 2
    I'm afraid reading down that issue the last comment from the developers appears to be "Yes, this was a breaking change so we couldn't include it in 2.x now that we follow semver. Also, we no longer maintain jQuery 1.x/2.x, only the latest version, currently 3.x." so it sounds like you'd need 3.x – Rory McCune Jan 02 '18 at 13:21
  • 1
    Thank you! It seems like it has to be updated to the current version to make it work. – Deniz Gökçe Jan 02 '18 at 13:23