Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ajax: Mitigate possible XSS vulnerability #2588

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Ajax: Mitigate possible XSS vulnerability
Fixes gh-2432
  • Loading branch information
markelog committed Sep 10, 2015
commit c254d308a7d3f1eac4d0b42837804cfffcba4bb2
7 changes: 6 additions & 1 deletion src/ajax.js
Expand Up @@ -221,14 +221,19 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {

if ( current ) {

// There's only work to do if current dataType is non-auto
// There's only work to do if current dataType is non-auto
if ( current === "*" ) {

current = prev;

// Convert response if prev dataType is non-auto and differs from current
} else if ( prev !== "*" && prev !== current ) {

// Mitigate possible XSS vulnerability (gh-2432)
if ( s.crossDomain && current === "script" ) {
continue;
}

// Seek a direct converter
conv = converters[ prev + " " + current ] || converters[ "* " + current ];

Expand Down
48 changes: 48 additions & 0 deletions test/unit/ajax.js
Expand Up @@ -71,6 +71,54 @@ QUnit.module( "ajax", {
};
} );

ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ain't you using assert.expect(2) anymore? xD

return {
create: function( options ) {
options.crossDomain = true;
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
},
success: function() {
assert.ok( true, "success" );
},
complete: function() {
assert.ok( true, "complete" );
}
};
} );

ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
function( assert ) {
return {
create: function( options ) {
options.crossDomain = true;
options.dataType = "script";
return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
},
success: function() {
assert.ok( true, "success" );
},
complete: function() {
assert.ok( true, "complete" );
}
};
}
);

ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
return {
create: function( options ) {
options.crossDomain = true;
return jQuery.ajax( url( "data/script.php" ), options );
},
success: function() {
assert.ok( true, "success" );
},
complete: function() {
assert.ok( true, "complete" );
}
};
} );

ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
return {
setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),
Expand Down