or How "jQuery Migrate" un-fixes a nasty DOMXSS without telling us..
Foreword
Today Mario Heiderich of Cure53 tweeted the following message:
"@0x6D6172696F Does anyone know why jquery.com has a special jQuery 1.9.1 version that is still vulnerable to $(location.hash)?"
What happened after that message might be considered to be the discovery of a rather interesting bug - which Mario and me will try to wrap up in this joint blog-post.
