Cross-Site Scripting
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps to Reproduce

The jQuery $.load() command provides a simple way to load content from other servers and insert it into  the current web page. By design, as part of its sanitization process, it is supposed to remove “<script>” tags to ensure that malicious code cannot be inserted into the page and executed.

The vulnerability fails to recognize and remove  “<script>” tags that contain a whitespace character, which can result in Cross-site Scripting attacks by including malicious code in the included script.

Addressing the Issue

Clients using jQuery prior to 1.9.1 should upgrade immediately to this version, which contains the fix. Alternatively, clients who need to still remain on 1.6 may leverage HeroDevs Never Ending Support which provides versions of jQuery with this and other CVEs remediated.

Learning and Prevention

Typically, jQuery employs multiple methods to sanitize data. In this case, the actual sanitization method had a vulnerability in it. In these cases, the best business practice is to stay abreast of security updates so that your servers are vulnerable for the least amount of time once the exploit has been published publicly.


HeroDevs jQuery Never-Ending Support can make your team’s life easier and more convenient by ensuring that it has the latest, secure code for all your important dependencies. Contact HeroDevs today to sign up for our comprehensive support service.


NIST CVE-2020-7656 entry