Cross-Site Scripting
>=1.2.0 <3.5.0
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

‍Steps to Reproduce

This Medium level exploit can be found in jQuery versions greater than or equal to 1.2 and before 3.5.0. The problem may occur when passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). With input not correctly sanitized, these methods may execute untrusted code.

Addressing the Issue

Clients should update to jQuery 3.5.0 immediately after thorough testing. Extensive testing is required because the sanitization method used in jQuery.htmlPrefilter()  changed in 3.5.0 and there are edge cases in which sanitization functionality may produce unexpected results. If the old behavior is absolutely required, the jQuery 3.5.0 Release blog describes a way to use the old logic in a safe way.  Alternatively, for clients unable to migrate, HeroDevs provides Never Ending Support for jQuery including versions of jQuery 1 and jQuery 2 with fixes for this security vulnerability.

Learning and Prevention

Sanitizing untrusted data before using or storing it is a security best practice for good reason: it is a common vector for breaking code. In this case, the error was found in the code designed to sanitize the data. The best available fix was to move away from using regex() to a new way to sanitize the data. 

Normally, using the built-in sanitization methods are sufficient. However, despite employing a new sanitization method in version 3.5.0, the jQuery team also recommends using the DOMPurify library for additional sanitization and to be sure to use the SAFE_FOR_JQUERY option. DOMPurify is a very popular, highly configurable library specifically designed to help prevent Cross-Site Scripting (XSS) exploits.


To provide the most secure possible Javascript frameworks for their sites, HeroDevs NES clients receive versions of jQuery which have this and all other relevant CVEs fixed.

This fix directly corrects the potential security hole described by CVE-2020-11022. To stay apprised of security updates like these, contact us today to become a customer.