diff options
| -rw-r--r-- | core/js/js.js | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/js/js.js b/core/js/js.js index c8907cdfc90..5c737d41793 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -1265,6 +1265,15 @@ function initCore() { }); /** + * Disable execution of eval in jQuery. We do require an allowed eval CSP + * configuration at the moment for handlebars et al. But for jQuery there is + * not much of a reason to execute JavaScript directly via eval. + * + * This thus mitigates some unexpected XSS vectors. + */ + jQuery.globalEval = function(){}; + + /** * Set users locale to moment.js as soon as possible */ moment.locale(OC.getLocale()); |