Skip to content

Commit f60729f

Browse files
markelogmarkelog
committedOct 12, 2015
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg Cherry-picked from b078a62 Fixes gh-2432 Closes gh-2588
1 parent 5da5035 commit f60729f

File tree

2 files changed

+55
-0
lines changed

2 files changed

+55
-0
lines changed
 

‎src/ajax/script.js

+7
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,13 @@ define( [
44
"../ajax"
55
], function( jQuery, document ) {
66

7+
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
8+
jQuery.ajaxPrefilter( function( s ) {
9+
if ( s.crossDomain ) {
10+
s.contents.script = false;
11+
}
12+
} );
13+
714
// Install script dataType
815
jQuery.ajaxSetup( {
916
accepts: {

‎test/unit/ajax.js

+48
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,54 @@ QUnit.module( "ajax", {
8585
};
8686
} );
8787

88+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
89+
return {
90+
create: function( options ) {
91+
options.crossDomain = true;
92+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
93+
},
94+
success: function() {
95+
assert.ok( true, "success" );
96+
},
97+
complete: function() {
98+
assert.ok( true, "complete" );
99+
}
100+
};
101+
} );
102+
103+
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
104+
function( assert ) {
105+
return {
106+
create: function( options ) {
107+
options.crossDomain = true;
108+
options.dataType = "script";
109+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
110+
},
111+
success: function() {
112+
assert.ok( true, "success" );
113+
},
114+
complete: function() {
115+
assert.ok( true, "complete" );
116+
}
117+
};
118+
}
119+
);
120+
121+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
122+
return {
123+
create: function( options ) {
124+
options.crossDomain = true;
125+
return jQuery.ajax( url( "data/script.php" ), options );
126+
},
127+
success: function() {
128+
assert.ok( true, "success" );
129+
},
130+
complete: function() {
131+
assert.ok( true, "complete" );
132+
}
133+
};
134+
} );
135+
88136
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
89137
return {
90138
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),

0 commit comments

Comments
 (0)