From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001 From: Oleg Gaidarenko Date: Thu, 10 Sep 2015 13:40:00 +0300 Subject: Ajax: Mitigate possible XSS vulnerability Proposed by @jaubourg Fixes gh-2432 Closes gh-2588 --- test/unit/ajax.js | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'test/unit/ajax.js') diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 14fe0bed6..647958773 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,6 +71,54 @@ QUnit.module( "ajax", { }; } ); + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + + ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, + function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + options.dataType = "script"; + return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } + ); + + ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { + return { + create: function( options ) { + options.crossDomain = true; + return jQuery.ajax( url( "data/script.php" ), options ); + }, + success: function() { + assert.ok( true, "success" ); + }, + complete: function() { + assert.ok( true, "complete" ); + } + }; + } ); + ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { return { setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ), -- cgit v1.2.3