diff options
author | Oleg Gaidarenko <markelog@gmail.com> | 2015-09-10 13:40:00 +0300 |
---|---|---|
committer | Oleg Gaidarenko <markelog@gmail.com> | 2015-10-12 17:05:18 +0300 |
commit | b078a62013782c7424a4a61a240c23c4c0b42614 (patch) | |
tree | 09ac4a92a491478e487f8b9d05d363bc37d2d5ff /src/ajax | |
parent | 735dea34fb0ae625542d51eae3f4e7316e403eaa (diff) | |
download | jquery-b078a62013782c7424a4a61a240c23c4c0b42614.tar.gz jquery-b078a62013782c7424a4a61a240c23c4c0b42614.zip |
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg
Fixes gh-2432
Closes gh-2588
Diffstat (limited to 'src/ajax')
-rw-r--r-- | src/ajax/script.js | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js index 60b1fb6b0..0ec27b4a5 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -4,6 +4,13 @@ define( [ "../ajax" ], function( jQuery, document ) { +// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) +jQuery.ajaxPrefilter( function( s ) { + if ( s.crossDomain ) { + s.contents.script = false; + } +} ); + // Install script dataType jQuery.ajaxSetup( { accepts: { |