aboutsummaryrefslogtreecommitdiffstats
path: root/src/ajax
diff options
context:
space:
mode:
authorOleg Gaidarenko <markelog@gmail.com>2015-09-10 13:40:00 +0300
committerOleg Gaidarenko <markelog@gmail.com>2015-10-12 17:05:18 +0300
commitb078a62013782c7424a4a61a240c23c4c0b42614 (patch)
tree09ac4a92a491478e487f8b9d05d363bc37d2d5ff /src/ajax
parent735dea34fb0ae625542d51eae3f4e7316e403eaa (diff)
downloadjquery-b078a62013782c7424a4a61a240c23c4c0b42614.tar.gz
jquery-b078a62013782c7424a4a61a240c23c4c0b42614.zip
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg Fixes gh-2432 Closes gh-2588
Diffstat (limited to 'src/ajax')
-rw-r--r--src/ajax/script.js7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js
index 60b1fb6b0..0ec27b4a5 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
"../ajax"
], function( jQuery, document ) {
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+ if ( s.crossDomain ) {
+ s.contents.script = false;
+ }
+} );
+
// Install script dataType
jQuery.ajaxSetup( {
accepts: {