jQuery addresses XSS safety problem in three.5 launch
The safety problem was one which opened up the doorways for cross-site scripting (XSS) assaults. jQuery makes use of an everyday expression within the jQuery.htmlPrefilter technique that made positive that every one closing tags had been XHTML-compliant once they had been handed to strategies. In response to the jQuery staff, there have been just a few edge circumstances the place this course of led to XSS vulnerabilities.
In response to the jQuery staff, it’s attainable that the repair to this vulnerability would require builders to rewrite their code. The staff famous that if a developer actually wants the previous habits, they’ll restore the earlier model of jQuery.htmlPrefilter through the use of the jQuery migrate plugin.
This launch additionally provides the 2 strategies which can be meant to switch positional selectors, that are presently being deprecated and might be eliminated in jQuery four.zero. The .even() and .odd() strategies will exchange the :even and :odd selectors.
One other minor function on this launch is the power so as to add context to jQuery.globalEval.
In response to the staff, this launch additionally fastened a bug within the Ajax script transport, improved efficiency in Sizzle, added assist for enormous arrays in jQuery map, fastened syntax errors in AMD modules, and extra.
Extra data is on the market right here.