diff options
author | Oleg Gaidarenko <markelog@gmail.com> | 2015-09-10 13:40:00 +0300 |
---|---|---|
committer | Oleg Gaidarenko <markelog@gmail.com> | 2015-10-12 17:05:18 +0300 |
commit | b078a62013782c7424a4a61a240c23c4c0b42614 (patch) | |
tree | 09ac4a92a491478e487f8b9d05d363bc37d2d5ff | |
parent | 735dea34fb0ae625542d51eae3f4e7316e403eaa (diff) | |
download | jquery-b078a62013782c7424a4a61a240c23c4c0b42614.tar.gz jquery-b078a62013782c7424a4a61a240c23c4c0b42614.zip |
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg
Fixes gh-2432
Closes gh-2588
-rw-r--r-- | src/ajax.js | 2 | ||||
-rw-r--r-- | src/ajax/script.js | 7 | ||||
-rw-r--r-- | test/unit/ajax.js | 48 |
3 files changed, 56 insertions, 1 deletions
diff --git a/src/ajax.js b/src/ajax.js index 32b6a1be2..157934ef1 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -221,7 +221,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) { if ( current ) { - // There's only work to do if current dataType is non-auto + // There's only work to do if current dataType is non-auto if ( current === "*" ) { current = prev; diff --git a/src/ajax/script.js b/src/ajax/script.js index 60b1fb6b0..0ec27b4a5 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -4,6 +4,13 @@ define( [ "../ajax" ], function( jQuery, document ) { +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) +jQuery.ajaxPrefilter( function( s ) { + if ( s.crossDomain ) { + s.contents.script = false; + } +} ); + // Install script dataType jQuery.ajaxSetup( { accepts: { diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 14fe0bed6..647958773 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,6 +71,54 @@ QUnit.module( "ajax", { }; } ); + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + + ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, + function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + options.dataType = "script"; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } + ); + + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { return { setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ), |