2020-04-14
jQuery below 3.5.0 vulnerable to cross-site scripting
All jQuery versions below 3.5.0 are vulnerable to cross-site scripting (XSS) attacks. If exploited successfully, an attacker can trick the user's browser to render a malicious page or hijack a user session. It is even possible to execute remote code. It is recommended to update to jQuery >= 3.5.0
CROSS-SITE SCRIPTING ATTACK (XSS)
The main change in the jQuery 3.5.0 release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why:
jQuery used a regex in its jQuery.htmlPrefilter
method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like
jQuery("<div class='hot' />")
jQuery("<div class='hot'></div>")
Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.
The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The
jQuery.htmlPrefilter
function does not use a regex in 3.5.0 and passes the string through unchanged.If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old
jQuery.htmlPrefilter
. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter()
Insight
There are a few methods by which XSS can be manipulated:
There are a few methods by which XSS can be manipulated:
- The malicious code is inserted in the application (usually as a link) by the attacker.
The code is activated every time a user clicks the link. - The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
- The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
- The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
HOW TO PREVENT
- Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
- Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
PATCHES AND BACKPORTS
There ae currently no know patches or backports for older versions of jQuery.