diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-09-14 14:08:16 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-09-15 11:42:13 +0200 |
| commit | f2d63d351852bea601680da25bc881a3c76701da (patch) | |
| tree | fbcfe18153f62e80a308c4a3a680fb2ae4f16054 /core | |
| parent | cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3 (diff) | |
| download | nextcloud-server-f2d63d351852bea601680da25bc881a3c76701da.tar.gz nextcloud-server-f2d63d351852bea601680da25bc881a3c76701da.zip | |
Disable automatic evaluation of responses
If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
Diffstat (limited to 'core')
| -rw-r--r-- | core/js/js.js | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/core/js/js.js b/core/js/js.js index 8d3756ae2ec..de773dc1221 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -1215,6 +1215,20 @@ function object(o) { * Initializes core */ function initCore() { + /** + * Disable automatic evaluation of responses for $.ajax() functions (and its + * higher-level alternatives like $.get() and $.post()). + * + * If a response to a $.ajax() request returns a content type of "application/javascript" + * JQuery would previously execute the response body. This is a pretty unexpected + * behaviour and can result in a bypass of our Content-Security-Policy as well as + * multiple unexpected XSS vectors. + */ + $.ajaxSetup({ + contents: { + script: false + } + }); /** * Set users locale to moment.js as soon as possible |