This appears to be a vulnerability in that the "load()" function will not correctly filter out javascript from loaded HTML.
https://snyk.io/vuln/SNYK-JS-JQUERY-569619 As per was supposedly fixed in the following commit: https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a NOTE: 20200606: This was fixed upstream in a set of wider changes NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific dlaneeded.txt The relevant line that has been changed is this one. https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a#diff-c3749d3acba09ca9ec16bb56e496408bR177 Before (if selector set): rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, jQuery("<div>") .append( responseText.replace( rscript, "" ) ) .find( selector ) : Before (if selector not set): responseText is used as is. After (if selector set): jQuery("<div>").append( jQuery.parseHTML( responseText ) ).find( selector ) : After (if selector not set): responseText is used as is. OK, so for the case where selector is set, we now call parseHTML instead of replacing the text. Presumable this fixes the problem. But this function not available in the Jessie version. But even more importantly, it looks like to me that if selector was not given, we don't do any filtering of JavaScript if a selector is not provided. Even in the latest version of master. https://github.com/jquery/jquery/blob/master/src/ajax/load.js#L58 Does this mean the security bug is not sufficiently fixed? Or do we only need to filter out javascript if a selector is provided for some reason? I am also a bit puzzled, I would have expected a function called load() would load JavaScript, and if you add it to the DOM as per the example, I would expect it to be executed. https://snyk.io/vuln/SNYK-JS-JQUERY-569619 -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
