Cross-site Scripting (XSS)
Affecting jquery package, versions <1.9.0 >=1.7.1
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks. The
jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In the vulnerable version, jQuery determined whether the input was HTML or not by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct malicious payload.
In the fixed versions, jQuery only deems the input to be HTML if it explicitly starts with '<', limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
jquery to version 1.9.0 or higher.