8000 Ajax: Mitigate possible XSS vulnerability · draios/jquery@3493060 · GitHub
[go: up one dir, main page]
Skip to content

Commit 3493060

Browse files
markelogdavideschiera
markelog
authored and
davideschiera
committed
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg Fixes jquerygh-2432 Closes jquerygh-2588 (cherry picked from commit b078a62) # Conflicts: # test/unit/ajax.js
1 parent 7751e69 commit 3493060

File tree

3 files changed

+56
-1
lines changed

3 files changed

+56
-1
lines changed

src/ajax.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
214214

215215
if ( current ) {
216216

217-
// There's only work to do if current dataType is non-auto
217+
// There's only work to do if current dataType is non-auto
218218
if ( current === "*" ) {
219219

220220
current = prev;

src/ajax/script.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,13 @@ define([
33
"../ajax"
44
], function( jQuery ) {
55

6+
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
7+
jQuery.ajaxPrefilter( function( s ) {
8+
if ( s.crossDomain ) {
9+
s.contents.script = false;
10+
}
11+
} );
12+
613
// Install script dataType
714
jQuery.ajaxSetup({
815
accepts: {

test/unit/ajax.js

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,54 @@ module( "ajax", {
6565
}
6666
});
6767

68+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
69+
return {
70+
create: function( options ) {
71+
options.crossDomain = true;
72+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
73+
},
74+
success: function() {
75+
assert.ok( true, "success" );
76+
},
77+
complete: function() {
78+
assert.ok( true, "complete" );
79+
}
80+
};
81+
} );
82+
83+
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
84+
function( assert ) {
85+
return {
86+
create: function( options ) {
87+
options.crossDomain = true;
88+
options.dataType = "script";
89+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
90+
},
91+
success: function() {
92+
assert.ok( true, "success" );
93+
},
94+
complete: function() {
95+
assert.ok( true, "complete" );
96+
}
97+
};
98+
}
99+
);
100+
101+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
102+
return {
103+
create: function( options ) {
104+
options.crossDomain = true;
105+
return jQuery.ajax( url( "data/script.php" ), options );
106+
},
107+
success: function() {
108+
assert.ok( true, "success" );
109+
},
110+
complete: function() {
111+
assert.ok( true, "complete" );
112+
}
113+
};
114+
} );
115+
68116
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, {
69117
setup: addGlobalEvents("ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess"),
70118
url: url("data/name.html"),

0 commit comments

Comments
 (0)
0