Ajax: Mitigate possible XSS vulnerability

Proposed by @jaubourg Cherry-picked from b078a62013 Fixes gh-2432 Closes gh-2588
2026-02-02 12:55:02 -05:00 · 2015-09-10 13:40:00 +03:00
parent 5da5035039
commit f60729f390
2 changed files with 55 additions and 0 deletions
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -4,6 +4,13 @@ define( [
 	"../ajax"
 ], function( jQuery, document ) {

+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+    if ( s.crossDomain ) {
+        s.contents.script = false;
+    }
+} );
+
 // Install script dataType
 jQuery.ajaxSetup( {
 	accepts: {