security/core#33 - Patch jQuery for CVE-2015-9251

author Coleman Watts <coleman@civicrm.org>

Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)

committer Seamus Lee <seamuslee001@gmail.com>

Fri, 22 Feb 2019 00:09:29 +0000 (11:09 +1100)
author Coleman Watts <coleman@civicrm.org>
Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)
committer Seamus Lee <seamuslee001@gmail.com>
Fri, 22 Feb 2019 00:09:29 +0000 (11:09 +1100)
diff --git a/js/Common.js b/js/Common.js

index de326cda0e367aa6c7e91e8e0b2eb82e5e5f899a..93f7b1032f3574e03a46b012ca8f7a3f91df05af 100644 (file)
--- a/js/Common.js
+++ b/js/Common.js
@@ -1544,4 +1544,11 @@ if (!CRM.vars) CRM.vars = {};
      return (yiq >= 128) ? 'black' : 'white';
    };
  
+  // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided
+  $.ajaxPrefilter(function(s) {
+    if (s.crossDomain) {
+      s.contents.script = false;
+    }
+  });
+
  })(jQuery, _);
author	Coleman Watts <coleman@civicrm.org>
	Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)
committer	Seamus Lee <seamuslee001@gmail.com>
	Fri, 22 Feb 2019 00:09:29 +0000 (11:09 +1100)