From: Coleman Watts <coleman@civicrm.org>
Date: Wed, 23 Jan 2019 02:14:03 +0000 (-0500)
Subject: security/core#33 - Patch jQuery for CVE-2015-9251
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=279877e8531a1c5e820952136c0a84388479a6d0;p=civicrm-core.git

security/core#33 - Patch jQuery for CVE-2015-9251

See https://github.com/jquery/jquery/issues/2432#issuecomment-403761229
This will no longer be needed after upgrading to jQuery 3.x.
---

diff --git a/js/Common.js b/js/Common.js
index de326cda0e..93f7b1032f 100644
--- a/js/Common.js
+++ b/js/Common.js
@@ -1544,4 +1544,11 @@ if (!CRM.vars) CRM.vars = {};
     return (yiq >= 128) ? 'black' : 'white';
   };
 
+  // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided
+  $.ajaxPrefilter(function(s) {
+    if (s.crossDomain) {
+      s.contents.script = false;
+    }
+  });
+
 })(jQuery, _);