Revert "Ajax: Mitigate possible XSS vulnerability"

This reverts commit b078a62013782c7424a4a61a240c23c4c0b42614.

diff --git a/src/ajax.js b/src/ajax.js
index bb69cf1d39ffb06994967f37d087f8f545fc4f38..4feed36b5762ed3f3d593493897de1a00eef5c0a 100644 (file)
--- a/src/ajax.js
+++ b/src/ajax.js
@@ -223,7 +223,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
 
                if ( current ) {
 
-                       // There's only work to do if current dataType is non-auto
+               // There's only work to do if current dataType is non-auto
                        if ( current === "*" ) {
 
                                current = prev;

diff --git a/src/ajax/script.js b/src/ajax/script.js
index 485ba397be6d8bbdf2a29b8cde3c93d22ab6c2fb..945bea9daecb5df868b15b47c1e44d6cd47771be 100644 (file)
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,13 +4,6 @@ define( [
        "../ajax"
 ], function( jQuery, document ) {
 
-// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
-jQuery.ajaxPrefilter( function( s ) {
-       if ( s.crossDomain ) {
-               s.contents.script = false;
-       }
-} );
-
 // Install script dataType
 jQuery.ajaxSetup( {
        accepts: {

diff --git a/test/unit/ajax.js b/test/unit/ajax.js
index 4eb70cad892f5768f71e6dd7104208d078458603..8e7cc06f49a313f9c09d4a5cd5fbe8fa2cf4b3e7 100644 (file)
--- a/test/unit/ajax.js
+++ b/test/unit/ajax.js
@@ -71,54 +71,6 @@ QUnit.module( "ajax", {
                };
        } );
 
-       ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
-               return {
-                       create: function( options ) {
-                               options.crossDomain = true;
-                               return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
-                       },
-                       success: function() {
-                               assert.ok( true, "success" );
-                       },
-                       complete: function() {
-                               assert.ok( true, "complete" );
-                       }
-               };
-       } );
-
-       ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
-               function( assert ) {
-                       return {
-                               create: function( options ) {
-                                       options.crossDomain = true;
-                                       options.dataType = "script";
-                                       return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
-                               },
-                               success: function() {
-                                       assert.ok( true, "success" );
-                               },
-                               complete: function() {
-                                       assert.ok( true, "complete" );
-                               }
-                       };
-               }
-       );
-
-       ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
-               return {
-                       create: function( options ) {
-                               options.crossDomain = true;
-                               return jQuery.ajax( url( "data/script.php" ), options );
-                       },
-                       success: function() {
-                               assert.ok( true, "success" );
-                       },
-                       complete: function() {
-                               assert.ok( true, "complete" );
-                       }
-               };
-       } );
-
        ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
                return {
                        setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),