Skip to content

Commit b078a62

Browse files
markelogmarkelog
committed
Ajax: Mitigate possible XSS vulnerability
Proposed by @jaubourg Fixes jquerygh-2432 Closes jquerygh-2588
1 parent 735dea3 commit b078a62

File tree

3 files changed

+56
-1
lines changed

3 files changed

+56
-1
lines changed

src/ajax.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
221221

222222
if ( current ) {
223223

224-
// There's only work to do if current dataType is non-auto
224+
// There's only work to do if current dataType is non-auto
225225
if ( current === "*" ) {
226226

227227
current = prev;

src/ajax/script.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,13 @@ define( [
44
"../ajax"
55
], function( jQuery, document ) {
66

7+
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
8+
jQuery.ajaxPrefilter( function( s ) {
9+
if ( s.crossDomain ) {
10+
s.contents.script = false;
11+
}
12+
} );
13+
714
// Install script dataType
815
jQuery.ajaxSetup( {
916
accepts: {

test/unit/ajax.js

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
7171
};
7272
} );
7373

74+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
75+
return {
76+
create: function( options ) {
77+
options.crossDomain = true;
78+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
79+
},
80+
success: function() {
81+
assert.ok( true, "success" );
82+
},
83+
complete: function() {
84+
assert.ok( true, "complete" );
85+
}
86+
};
87+
} );
88+
89+
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
90+
function( assert ) {
91+
return {
92+
create: function( options ) {
93+
options.crossDomain = true;
94+
options.dataType = "script";
95+
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
96+
},
97+
success: function() {
98+
assert.ok( true, "success" );
99+
},
100+
complete: function() {
101+
assert.ok( true, "complete" );
102+
}
103+
};
104+
}
105+
);
106+
107+
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
108+
return {
109+
create: function( options ) {
110+
options.crossDomain = true;
111+
return jQuery.ajax( url( "data/script.php" ), options );
112+
},
113+
success: function() {
114+
assert.ok( true, "success" );
115+
},
116+
complete: function() {
117+
assert.ok( true, "complete" );
118+
}
119+
};
120+
} );
121+
74122
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
75123
return {
76124
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),

0 commit comments

Comments
 (0)