From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001
From: Oleg Gaidarenko <markelog@gmail.com>
Date: Thu, 10 Sep 2015 13:40:00 +0300
Subject: Ajax: Mitigate possible XSS vulnerability

Proposed by @jaubourg

Fixes gh-2432
Closes gh-2588
---
 src/ajax/script.js | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/ajax')

diff --git a/src/ajax/script.js b/src/ajax/script.js
index 60b1fb6b0..0ec27b4a5 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
 	"../ajax"
 ], function( jQuery, document ) {
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+    if ( s.crossDomain ) {
+        s.contents.script = false;
+    }
+} );
+
 // Install script dataType
 jQuery.ajaxSetup( {
 	accepts: {
-- 
cgit v1.2.3