From 279877e8531a1c5e820952136c0a84388479a6d0 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Tue, 22 Jan 2019 21:14:03 -0500 Subject: [PATCH] security/core#33 - Patch jQuery for CVE-2015-9251 See https://github.com/jquery/jquery/issues/2432#issuecomment-403761229 This will no longer be needed after upgrading to jQuery 3.x. --- js/Common.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/js/Common.js b/js/Common.js index de326cda0e..93f7b1032f 100644 --- a/js/Common.js +++ b/js/Common.js @@ -1544,4 +1544,11 @@ if (!CRM.vars) CRM.vars = {}; return (yiq >= 128) ? 'black' : 'white'; }; + // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided + $.ajaxPrefilter(function(s) { + if (s.crossDomain) { + s.contents.script = false; + } + }); + })(jQuery, _); -- 2.25.1