zachliu commented on issue #15364: URL: https://github.com/apache/airflow/issues/15364#issuecomment-843265097
in case anyone is interested Vulnerable javascript library: jQuery version: 3.4.1 Details: jQuery versions below 3.5.0 used a regex in its jQuery.htmlPrefilter method. This regex which is used to ensure that all tags are XHTML-compliant could introduce a vulnerability to Cross-site Scripting(XSS) attack. Please refer to vendor documentation (https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and https://jquery.com/upgrade-guide/3.5/) for the security fix details. ---------------------------------------------- In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Please refer https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 and https://nvd.nist.gov/vuln/detail/CVE-2020-11022 ... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
