Security finding for JQuery 3.6.0 version #5357
-
Hi everyone, 1) Improper Control of Generation of Code ('Code Injection')
2) Incorrect Regular Expression
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Those all look like false findings to me. Direct inspection of https://code.jquery.com/jquery-3.6.0.js shows that |
Beta Was this translation helpful? Give feedback.
Those all look like false findings to me. Direct inspection of https://code.jquery.com/jquery-3.6.0.js shows that
jQuery.propFix[ this.toLowerCase() ]
andelem = results[ i++ ]
are in fact applying only to controlled input, that theclassName
in finding 2 is constrained to matchnew RegExp( "^\\.(" + identifier + ")" )
unlessmatchExpr
(jQuery.expr.match
) has been modified, and thatxhr.open
is not an "fs" call (although guarding against "file:///" URLs is important).