Description
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources – even after sanitizing it – to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Mitigation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Alternatively, a workaround is provided by [jQuery](https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6):
>To workaround this issue without upgrading, use DOMPurify with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
