Passing HTML containing
<option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e.
.append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.