XSS with XHR level2 cross domain request #1990

Closed
mala opened this Issue Jun 29, 2011 · 0 comments

2 participants

@mala

jQuery mobile can load other domain's html.
All version of jQuery mobile has security risk, it can XSS or display fake contents.

example:
http://jquerymobile.com/demos/1.0b1/#http://ma.la/tmp/jquerymobiletest.html

@gseguin gseguin added a commit to gseguin/jquery-mobile that referenced this issue Jun 30, 2011
@gseguin gseguin Fix for #1990: Introducing $.mobile.ajaxCrossDomainEnabled defaults t…
…o false
5fe3106
@gseguin gseguin was assigned Jun 30, 2011
@gseguin gseguin added a commit to gseguin/jquery-mobile that referenced this issue Jun 30, 2011
@gseguin gseguin More elegant fix for #1990
Re-use $.mobile.allowCrossDomainPages & call deferred.reject to notify caller of failure
2deeee1
@gseguin gseguin closed this Jul 7, 2011
@timmywil timmywil pushed a commit that referenced this issue Oct 24, 2011
@gseguin gseguin More elegant fix for #1990
Re-use $.mobile.allowCrossDomainPages & call deferred.reject to notify caller of failure
8c1eca1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment