8000 Ajax: Mitigate possible XSS vulnerability · jquery/jquery@c254d30 · GitHub
[go: up one dir, main page]
Skip to content

Commit c254d30

Browse files
markelogmarkelog
committed
Ajax: Mitigate possible XSS vulnerability
Fixes gh-2432
1 parent 250a199 commit c254d30

File tree

2 files changed

+54
-1
lines changed

2 files changed

+54
-1
lines changed

src/ajax.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,14 +221,19 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
221221

222222
if ( current ) {
223223

224-
// There's only work to do if current dataType is non-auto
224+
// There's only work to do if current dataType is non-auto
225225
if ( current === "*" ) {
226226

227227
current = prev;
228228

229229
// Convert response if prev dataType is non-auto and differs from current
230230
} else if ( prev !== "*" && prev !== current ) {
231231

232+
// Mitigate possible XSS vulnerability (gh-2432)
233+
if ( s.crossDomain && current === "script" ) {
234+
continue;
235+
}
236+
232237
// Seek a direct converter
233238
conv = converters[ prev + " " + current ] || converters[ "* " + current ];
234239

test/unit/ajax.js

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
7171
};
7272
} );
7373

74+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
75+
return {
76+
create: function( options ) {
77+
options.crossDomain = true;
78+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
79+
},
80+
success: function() {
81+
assert.ok( true, "success" );
82+
},
83+
complete: function() {
84+
assert.ok( true, "complete" );
85+
}
86+
};
87+
} );
88+
89+
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
90+
function( assert ) {
91+
return {
92+
create: function( options ) {
93+
options.crossDomain = true;
94+
options.dataType = "script";
95+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
96+
},
97+
success: function() {
98+
assert.ok( true, "success" );
99+
},
100+
complete: function() {
101+
assert.ok( true, "complete" );
102+
}
103+
};
104+
}
105+
);
106+
107+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
108+
return {
109+
create: function( options ) {
110+
options.crossDomain = true;
111+
return jQuery.ajax( url( "data/script.php" ), options );
112+
},
113+
success: function() {
114+
assert.ok( true, "success" );
115+
},
116+
complete: function() {
117+
assert.ok( true, "complete" );
118+
}
119+
};
120+
} );
121+
74122
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
75123
return {
76124
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),

0 commit comments

Comments
 (0)
0