[]

[navnitan-7]

Summary

Align the bundled test copy test/data/jquery-3.7.1.js with the jQuery core XSS mitigation for CVE-2015-9251 / gh-2432 by adding the same ajaxConvert guard as upstream: jquery/jquery@2546bb35.

Changes

• Insert if ( s.crossDomain && current === "script" ) { continue; } in ajaxConvert before converter lookup.
• Add scripts/verify-jquery-cve-2015-9251.sh to grep for the guard (local/CI helper).

Reproduction (before)

The fixture file had no s.crossDomain && current === "script" branch inside ajaxConvert’s prev !== "*" && prev !== current block (vulnerable pattern relative to gh-2432).

Verification

• bash scripts/verify-jquery-cve-2015-9251.sh → ok
• npm run build:all && npm run lint && npm run test:browserless → pass
• npm run test:unit -- -b chrome --headless → 67 passed
• npm run test:esm → 67 passed, 3 skipped

Note: Full npm test (Chrome + Firefox headless) was not completed locally because the Firefox WebDriver failed to install on this machine (selenium-manager / geckodriver). Upstream CI should cover Firefox if applicable.

Scope

Two files: test fixture jQuery copy + small regression script; no changes to migrate library source.

Made with Cursor

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: navnitan-7 / name: navnitan-7 (a6bbbf0)

[timmywil]

Thank you for your contribution. However, the CVE listed was fixed in jQuery version 3.0.0, as it says. The vulnerability does not exist in 3.7.1. The patch is in a prefilter, which happens earlier. If you think you've discovered a new vulnerability, please have a look at https://github.com/jquery/jquery-migrate/security/policy and report it privately.