Upgrade to jQuery v3.5.1+ - DevExpress Controls

ASP.NET Team Blog
15 June 2020

In May 2020, the jQuery team released v3.5.1 to fix a regression and address two security issues.

In this post, I'll discuss why you should update both your jQuery and DevExpress installations.

Security Fixes

The security issues are related to jQuery's DOM manipulation methods (.html(), .append(), etc.):

The second issue was very similar to the first. It was an XSS vulnerability that had to do with passing <option> elements to jQuery’s DOM manipulation methods. Essentially, we’re using a regex to wrap <option> elements with <select> elements to ensure those elements get parsed correctly in old IE (IE <= 9 replaces any <option> tags with their contents when inserted outside of a <select> element). - Timmy Wilson, jQuery Blog

This vulnerability is specific for jQuery versions older than v3.5.0. We encourage you to upgrade to jQuery v3.5.1+.

Upgrade DevExpress

While many DevExpress web components use jQuery, this vulnerability does not affect our web controls directly. However, if you're using the vulnerable jQuery methods mentioned above (for user input), compromising code can be injected from the client browser.

The good news: this vulnerability has been fixed in jQuery v3.5.1+. As such, we've updated the following versions of our product suite:

  • v19.1.11
  • v19.2.8
  • v20.1.4

I recommend that you install our update - this will be the easiest way to move to jQuery v3.5.1.

Learn more here: DevExpress Security Advisory

Upgrade npm packages

Please run the following command - it'll update your jQuery to the latest version:

npm i jquery

If you encounter any issues, please contact our support team for immediate assistance.

What’s New in v20.1

To explore the scope, breadth and capabilities of our new products/features, please visit: https://www.devexpress.com/Subscriptions/New-2020-1.xml.
No Comments

Please login or register to post comments.