diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2017-03-17 08:31:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-03-17 08:31:12 +0100 |
| commit | 7a3acff7824ad8a83f6fcec7915a8a88b0a7d4df (patch) | |
| tree | 18f7c9564e9600c0678d1ac02154461be43ae840 | |
| parent | 88e68b50587adfb5f35291e1b62df51010dfc09f (diff) | |
| parent | 148e7abb5143a4003d01989c89424900d94e65aa (diff) | |
| download | nextcloud-server-7a3acff7824ad8a83f6fcec7915a8a88b0a7d4df.tar.gz nextcloud-server-7a3acff7824ad8a83f6fcec7915a8a88b0a7d4df.zip | |
Merge pull request #3874 from nextcloud/harden-js-by-disabling-eval-execution
Harden JS by disabling jQuery eval
| -rw-r--r-- | core/js/js.js | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/js/js.js b/core/js/js.js index c8907cdfc90..5c737d41793 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -1265,6 +1265,15 @@ function initCore() { }); /** + * Disable execution of eval in jQuery. We do require an allowed eval CSP + * configuration at the moment for handlebars et al. But for jQuery there is + * not much of a reason to execute JavaScript directly via eval. + * + * This thus mitigates some unexpected XSS vectors. + */ + jQuery.globalEval = function(){}; + + /** * Set users locale to moment.js as soon as possible */ moment.locale(OC.getLocale()); |