jQuery 1.12.X
Release Notes
1.12.6
Notes
- This release was the first release in the 1.12.x NES line where the Semantic Versioning was updated.
- Full Version:
1.12.4-jquery-1.12.6
Bug Fixes
- Removed doc references to an outdated and now malicious site (BDSA-2021-3651)
1.12.5
Notes
- This release originates from an open-source jQuery repository forked by HeroDevs. It encompasses modifications and further security updates implemented by HeroDevs to ensure successful building.
- Full Version:
1.12.5
Bug Fixes
- Wrap
<option>element to prevent executing untrusted code- This fixes a Moderate Severity Potential XSS vulnerability (CVE-2020-11023)
- Remove instances where HTML (from untrusted sources) is passed into a manipulation method
- This fixes a Moderate Severity Potential XSS vulnerability (CVE-2020-11022)
- Prevent Object.prototype pollution
- This fixes a Moderate Severity XSS in jQuery vulnerability (CVE-2019-11358)
- Prevent auto-execution of scripts when no explicit dataType was provided
- This fixes a Moderate Severity Cross-Site Scripting (XSS) vulnerability (CVE-2015-9251)
Breaking Changes
- Manipulation methods no longer auto-close tags.
Previously, thejQuery.htmlPrefilter()method, used internally by jQuery's manipulation methods, transformed HTML in a way that could change its semantics by adding closing HTML tags. For example, it transformedjQuery('<i class="icon" />')to the XHTML-compliantjQuery('<i class="icon"></i>). Similarly,jQuery('<i ... /><div>...</div>')was transformed tojQuery('<i ...></i><div>...</div>').
Due to security considerations (CVE-2020-11022), this behavior has been altered so that now the HTML retains its original semantics per the HTML specification. For example,jQuery('<i ... /><div>...</div>')would be equivalent tojQuery('<i ...><div>...</div></i>'). For more details, see the release notes for jQuery v3.5.0, where this change was backported from.
In order to avoid unexpected behavior in your applications, you need to ensure that non-void elements are properly closed when passed to jQuery's manipulation methods.// Before: jQuery('<i ... />'); jQuery('<i ... /><div>...</div>'); // After: jQuery('<i ...></i>'); jQuery('<i ...></i><div>...</div>');