aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleg Gaidarenko <markelog@gmail.com>2015-09-10 13:40:00 +0300
committerOleg Gaidarenko <markelog@gmail.com>2015-10-12 17:05:18 +0300
commitb078a62013782c7424a4a61a240c23c4c0b42614 (patch)
tree09ac4a92a491478e487f8b9d05d363bc37d2d5ff
parent735dea34fb0ae625542d51eae3f4e7316e403eaa (diff)
downloadjquery-b078a62013782c7424a4a61a240c23c4c0b42614.tar.gz
jquery-b078a62013782c7424a4a61a240c23c4c0b42614.zip
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg Fixes gh-2432 Closes gh-2588
-rw-r--r--src/ajax.js2
-rw-r--r--src/ajax/script.js7
-rw-r--r--test/unit/ajax.js48
3 files changed, 56 insertions, 1 deletions
diff --git a/src/ajax.js b/src/ajax.js
index 32b6a1be2..157934ef1 100644
--- a/src/ajax.js
+++ b/src/ajax.js
@@ -221,7 +221,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
if ( current ) {
- // There's only work to do if current dataType is non-auto
+ // There's only work to do if current dataType is non-auto
if ( current === "*" ) {
current = prev;
diff --git a/src/ajax/script.js b/src/ajax/script.js
index 60b1fb6b0..0ec27b4a5 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
"../ajax"
], function( jQuery, document ) {
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+ if ( s.crossDomain ) {
+ s.contents.script = false;
+ }
+} );
+
// Install script dataType
jQuery.ajaxSetup( {
accepts: {
diff --git a/test/unit/ajax.js b/test/unit/ajax.js
index 14fe0bed6..647958773 100644
--- a/test/unit/ajax.js
+++ b/test/unit/ajax.js
@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
};
} );
+ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ } );
+
+ ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
+ function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ options.dataType = "script";
+ return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ }
+ );
+
+ ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
+ return {
+ create: function( options ) {
+ options.crossDomain = true;
+ return jQuery.ajax( url( "data/script.php" ), options );
+ },
+ success: function() {
+ assert.ok( true, "success" );
+ },
+ complete: function() {
+ assert.ok( true, "complete" );
+ }
+ };
+ } );
+
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
return {
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),