Steps to Reproduce
This Medium level exploit is related to CVE-2020-11022; it can be found in jQuery versions greater than or equal to 1.0.3 and before 3.5.0. Instead of being concerned with general HTML (which CVE-2020-11022 handles), this problem may occur when passing HTML containing <option> elements, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). With input not correctly sanitized, these methods may execute untrusted code.
Addressing the Issue
Clients should update to jQuery 3.5.0 immediately after thorough testing. Extensive testing is required because the sanitization method used in jQuery.htmlPrefilter() changed in 3.5.0 and there are edge cases in which sanitization functionality may produce unexpected results. If the old behavior is absolutely required, the jQuery 3.5.0 Release blog describes a way to use the old logic in a safe way.
Learning and Prevention
Sanitizing untrusted data before using or storing it is a security best practice for good reason: it is a common vector for breaking code. In this case, the error was found in the code designed to sanitize the data that specifically included <option> elements.
Normally, using the built-in sanitization methods are sufficient. However, despite employing a new sanitization method in version 3.5.0, the jQuery team also recommends using the DOMPurify library for additional sanitization and to be sure to use the SAFE_FOR_JQUERY option. DOMPurify is a very popular, highly configurable library specifically designed to help prevent Cross-Site Scripting (XSS) exploits.
Conclusion
To provide the most secure possible Javascript frameworks for their sites, HeroDevs NES clients receive this version of jQuery and all other relevant CVEs that have been fixed.
This fix directly corrects directly corrects the potential security hole described by CVE-2020-11023. To stay apprised of security updates like these, contact us today to become a customer.