Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jQuery outdated #254

Open
Nodeswitch opened this issue Mar 25, 2022 · 1 comment
Open

jQuery outdated #254

Nodeswitch opened this issue Mar 25, 2022 · 1 comment

Comments

@Nodeswitch
Copy link

Hi there

Security scans revealed that a version of jQuery from 2011 (1.6.1) is being used, which are vulnerable to a couple of XSS attacks.

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3,
  when using location.hash to select elements, allows remote attackers to inject arbitrary web
  script or HTML via a crafted tag.

The jQuery(strInput) function does not differentiate selectors
  from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was
  HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility
  when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input
  to be HTML if it explicitly starts with the '<' character, limiting exploitability only to
  attackers who can control the beginning of a string, which is far less common.

Is it possible for these to be updated?
@dstndstn
Copy link
Owner

Feel free to send a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dstndstn @Nodeswitch