kunal-chowdhury.com

jQuery 3.5 is now available with new features and fixes to XSS vulnerability



jQuery Team has released version 3.5, that includes some new features, security bug fixes and more. According to the team, the main change in this release is a security fix, and it's possible you will need to change your own code to adapt.

 

Here's everything that you like to know about the latest changes, and how to download the latest version of jQuery 3.5.

 

jQuery 3.5 is now available with new features and fixes to XSS vulnerability

 

In jQuery 3.5, they have introduced a small feature that will include the ability to add a context to jQuery.globalEval. This was done as part of fixing a bug with script execution in iframes.

 

The main update in this release of jQuery 3.5 includes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. Prior to this release, jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. But sometimes the regex was introducing this cross-site scripting (XSS) vulnerability. With this release, the jQuery.htmlPrefilter function won't not use any regex and will pass the string unchanged.

 

In case you need the old behavior, you can use the latest version of the jQuery migrate plugin which provides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.

 

Earlier jQuery used to evaluate any response to a request for a script as a script, which is not always the desired behavior. The jQuery 3.5 will now only evaluate successful HTTP responses.

 

Apart from this, jQuery 3.5 deprecates jQuery.trim in favor of JavaScript's own String.prototype.trim(). So, while migrating to latest library, please take a note about this changes.

 

The jQuery team also announced the release of a slim version of jQuery that excludes ajax, or one of the many standalone libraries that focus on ajax requests. Though the size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version.

 

You can get the latest version of jQuery files from the jQuery CDN, or link to them directly:
https://code.jquery.com/jquery-3.5.0.js (uncompressed)
https://code.jquery.com/jquery-3.5.0.min.js (compressed/minified)
https://code.jquery.com/jquery-3.5.0.slim.js (uncompressed, slim)
https://code.jquery.com/jquery-3.5.0.slim.min.js (compressed/minified, slim)

 

 


Kunal Chowdhury
If you have come this far, it means that you liked what you are reading (jQuery 3.5 is now available with new features and fixes to XSS vulnerability).

Why not reach little more and connect with me directly on Twitter, Facebook and LinkedIn. I would love to hear your thoughts and opinions.

Authored Books: