JQuery is a sink!Read:
http://blog.mindedsecurity.com/2011/07/jquery-is-sink.htmland
https://ttmm.io/tech/jquery-xss/Understand while polonus continously scans here:
http://retire.insecurity.today/ and here:
http://www.domxssscanner.com/A function or method that can be sonsidered as insecure, when one of its arguments comes from untrusted input
(check at
https://observatory.mozilla.org/ whether content is being protected properly CORS
- same origine - SRI hashes generated)
and is not correctly being validated according to the layer the function is communicating to.
jQuery.html is a sink and no one so far complains.
jQuery is also designed to perform different operations based on argument type and content.
Using the same interface for query and executing is a "bad idea".
jQuery as selector?
Never use jQuery() or $() with an unvalidated argument. No matter what version is being used. Read the code!
jQuery developers retire old version (zip all for reference). What one acquires, one also should retire!
Change and lock jQuery do-everything behaviour.
Not allow client side into Http encode URI Component. Do not use $.html() with untrusted input.
Check they work as expected <.*\?>
Test your RegExps.
Client Request Proxy is Frameable by design!
unfriendly header added
x-Ms-Origin:
http://cyber.at.track.erXMLHttpRequest.attr=val
IE sees some code as valid JSON you can still be left with an unvalidated object!
Be shy using 3rd party services that produces 3rd party surprises.
HTML Injection Vuln.
Test an' Audit all 3rd party code (jsunpack)
Angular.JS has interesting injections.
Info credits go to stafano di paola of minded security dot com.
jQuery methods that directly update the DOM
.after() same with append, before, htm,l insert After, insert Before, prepend, prependTo, replaceAl,l replaceWith, unWrap, wrap, wrapAll, wrapInner, all like .method() text() updates DOM but is safe.
Do not send unvalidated data to these methods or properly escape before doing so.
More danger from or $danger immedeately evaluates the input e.g. $("<img src =x onerror = alert(1)>")
jQuery.globalEval()
All event handlers: bind(events), bind (type, [,data], handlers ()], .0n(), add(html).
More research is needed to identify all the safe versus unsafe methods.
polonus (volunteer website security analyst and website error-hunter)
P.S. Interesting interesting read on the dangers of 3rd party scripts:
https://css-tricks.com/potential-dangers-of-third-party-javascript/and
https://hackcabin.com/post/managing-async-dependencies-javascript/Damian