jQuery 1.7.X

1.7.4

Notes

• This release was the first release in the 1.7.x NES line where the Semantic Versioning was updated.
• Full Version: 1.7.2-jquery-1.7.4

Bug Fixes

• Removed doc references to an outdated and now malicious site (BDSA-2021-3651)

1.7.3

Notes

• Only non-functional files (licensing, copyright, packaging, etc) required for NES distribution were changed.
• Full Version: 1.7.3

Bug Fixes

• Wrap <option> element to prevent executing untrusted code
  • This fixes a Moderate Severity Potential XSS vulnerability (CVE-2020-11023)
• Remove whitespace from <script> elements to prevent execution of arbitrary JavaScript
  • This fixes a Moderate Severity Potential XSS vulnerability (CVE-2020-7656)
• Remove instances where HTML (from untrusted sources) is passed into a manipulation method
  • This fixes a Moderate Severity Potential XSS vulnerability (CVE-2020-11022)
• Prevent Object.prototype pollution
  • This fixes a Moderate Severity XSS in jQuery vulnerability (CVE-2019-11358)
• Strict HTML recognition (#11290: must start with <)
  • This fixes a Moderate Severity XSS in jQuery vulnerability (CVE-2012-6708)
• Avoid XSS via location.hash
  • This fixes a Moderate Severity XSS in jQuery vulnerability (CVE-2011-4969)
• Prevent auto-execution of scripts when no explicit dataType was provided
  • This fixes a Moderate Severity Cross-Site Scripting (XSS) vulnerability (CVE-2015-9251)

Breaking Changes

• jQuery() only detects string as HTML if it starts with <.
  Previously, a string passed to jQuery()/$() would be considerd HTML if it had HTML tags anywhere within the string. For example, jQuery('foo<div>bar</div>') would be treated as HTML.
  Due to security considerations (CVE-2012-6708), this behavior has been altered so that now only strings starting with the less-than character (<) will be considered HTML. For example, jQuery('foo<div>bar</div>') will be treated as a selector, but jQuery('<div>bar</div>') will be treated as HTML. For more details, see the migration guide for jQuery v1.9.0, where this change was backported from.
  In order to avoid unexpected behavior in your applications, if you want to parse HTML strings that may start with arbitrary text that is not an HTML tag, use jQuert.parseHTML(). If either the strings passed to jQuery()/$() start with an HTML tag or they're not meant to be treated as HTML, then no change is needed.
  // Before:
  jQuery('.my-selector-that-is-not-html');
  jQuery('<div>my HTML</div><div>that starts with a tag</div>');
  jQuery('my HTML <div>that does not start with a tag</div>');
  
  // After:
  jQuery('.my-selector-that-is-not-html'); // Can remain the same.
  jQuery('<div>my HTML</div><div>that starts with a tag</div>'); // Can remain the same.
  jQuery(jQuery.parseHTML('my HTML <div>that does not start with a tag</div>')); // Must use `parseHTML()`.
  

• Manipulation methods no longer auto-close tags.
  Previously, the jQuery.htmlPrefilter() method, used internally by jQuery's manipulation methods, transformed HTML in a way that could change its semantics by adding closing HTML tags. For example, it transformed jQuery('<i class="icon" />') to the XHTML-compliant jQuery('<i class="icon"></i>). Similarly, jQuery('<i ... /><div>...</div>') was transformed to jQuery('<i ...></i><div>...</div>').
  Due to security considerations (CVE-2020-11022), this behavior has been altered so that now the HTML retains its original semantics per the HTML specification. For example, jQuery('<i ... /><div>...</div>') would be equivalent to jQuery('<i ...><div>...</div></i>'). For more details, see the release notes for jQuery v3.5.0, where this change was backported from.
  In order to avoid unexpected behavior in your applications, you need to ensure that non-void elements are properly closed when passed to jQuery's manipulation methods.
  // Before:
  jQuery('<i ... />');
  jQuery('<i ... /><div>...</div>');
  
  // After:
  jQuery('<i ...></i>');
  jQuery('<i ...></i><div>...</div>');