jQuery versions prior to 3.5 suffer from an html() cross site scripting vulnerability.
1eb6f7c99d9e83fd3ae94efce8b462a1# jquery-xss-in-html
jQuery < 3.5 Cross-Site Scripting (XSS) in html()
Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities.
Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. (https://xss.pwnfunction.com/challenges/ww3/)
Below is a CodeQL query I wrote that can find user controlled values passed to html() which can be abused to perform Cross-Site Scripting.
Please check your projects, submit responsible disclosures to projects that might be affected.
```
/**
* @name Taint-tracking to 'html' calls (with path visualization)
* @description Tracks user-controlled values into 'html' calls (vulnerable to XSS in jQuery < 3.5)
* and generates a visualizable path from the source to the sink.
* @kind path-problem
* @tags security
* @id js/html-taint-path
*/
import javascript
import DataFlow
import DataFlow::PathGraph
import DOM
import semmle.javascript.dependencies.FrameworkLibraries
class HtmlTaint extends TaintTracking::Configuration {
HtmlTaint() { this = "HtmlTaint" }
override predicate isSource(Node node) { node = DOM::locationSource() }
override predicate isSink(Node node) { node =jquery().getACall().getAMethodCall("html").getArgument(0) }
}
from HtmlTaint cfg, PathNode source, PathNode sink, FrameworkLibraryInstance framework, string version
where cfg.hasFlowPath(source, sink) and framework.info("jquery", version)
select sink.getNode(), source, sink, "Html with user-controlled input from $@. When using jquery version $@.", source.getNode(), "here", framework, version
```