# jquery-xss-in-html
jQuery < 3.5 Cross-Site Scripting (XSS) in html()

Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities.

Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. (https://xss.pwnfunction.com/challenges/ww3/)

Below is a CodeQL query I wrote that can find user controlled values passed to html() which can be abused to perform Cross-Site Scripting.

Please check your projects, submit responsible disclosures to projects that might be affected.

```
/**
 * @name Taint-tracking to 'html' calls (with path visualization)
 * @description Tracks user-controlled values into 'html' calls (vulnerable to XSS in jQuery < 3.5)
 *              and generates a visualizable path from the source to the sink.
 * @kind path-problem
 * @tags security
 * @id js/html-taint-path
 */
import javascript
import DataFlow
import DataFlow::PathGraph
import DOM
import semmle.javascript.dependencies.FrameworkLibraries

class HtmlTaint extends TaintTracking::Configuration {
  HtmlTaint() { this = "HtmlTaint" }
  override predicate isSource(Node node) { node = DOM::locationSource() }
  override predicate isSink(Node node) { node =jquery().getACall().getAMethodCall("html").getArgument(0) }
}
from HtmlTaint cfg, PathNode source, PathNode sink, FrameworkLibraryInstance framework, string version
where cfg.hasFlowPath(source, sink) and framework.info("jquery", version)
select sink.getNode(), source, sink, "Html with user-controlled input from $@. When using jquery version $@.", source.getNode(), "here", framework, version
```