In May 2020, the jQuery team released v3.5.1 to fix a regression and address two security issues.
In this post, I'll discuss why you should update both your jQuery and DevExpress installations.
Security Fixes
The security issues are related to jQuery's DOM manipulation methods (.html(), .append(), etc.):
The second issue was very similar to the first. It was an XSS vulnerability that had to do with passing
<option>elements to jQuery’s DOM manipulation methods. Essentially, we’re using a regex to wrap<option>elements with<select>elements to ensure those elements get parsed correctly in old IE (IE <= 9 replaces any<option>tags with their contents when inserted outside of a<select>element). - Timmy Wilson, jQuery Blog
This vulnerability is specific for jQuery versions older than v3.5.0. We encourage you to upgrade to jQuery v3.5.1+.
Upgrade DevExpress
While many DevExpress web components use jQuery, this vulnerability does not affect our web controls directly. However, if you're using the vulnerable jQuery methods mentioned above (for user input), compromising code can be injected from the client browser.
The good news: this vulnerability has been fixed in jQuery v3.5.1+. As such, we've updated the following versions of our product suite:
- v19.1.11
- v19.2.8
- v20.1.4
I recommend that you install our update - this will be the easiest way to move to jQuery v3.5.1.
Learn more here: DevExpress Security Advisory
Upgrade npm packages
Please run the following command - it'll update your jQuery to the latest version:
npm i jquery
If you encounter any issues, please contact our support team for immediate assistance.