This is the only version that officially patches both the Prototype Pollution and the 2020 XSS flaws. Use the Migrate Plugin: If your site breaks after upgrading, the jQuery Migrate plugin
- Check their changelog for fixed issues jquery v2.1.3 vulnerabilities
// In jQuery v2.1.3, this executes the alert var userInput = "<img src=x onerror=alert('XSS')>"; $("#container").html(userInput); This is the only version that officially patches
It is crucial to note that The jQuery team has since released patches in higher sub-versions (2.1.4, 2.2.x, and the 3.x branches). Because 2.1.3 is a client-side library, these vulnerabilities are exploitable by any malicious user who can inject scripts into your application or trick a user into clicking a crafted link. img src=x onerror=alert('XSS')>
: Passing HTML containing elements—even after sanitization—to DOM manipulation methods like .html() or .append() can trigger malicious code execution.
: An attacker who compromises a third-party service your app calls can inject and execute arbitrary JavaScript in your users' browsers.