Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-3724

jquery issue - Ajax: Mitigate possible XSS vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 8.0.5
    • Fix Version/s: 8.5.0
    • Component/s: ZK Client Engine
    • Security Level: Jimmy
    • Labels:
      None

      Description

      The issue can be fixed by changing the default jquery configuration as shown below:

      ZK seems not affected by this (the commented out log statement doesn't execute in during ZK requests)

      	jq.ajaxPrefilter(function( s ) {
      		//console.log("triggered ajaxPrefilter", s);
      		if (s.crossDomain) {
      			s.contents.script = false;
      		}
      	});
      
      

      see https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

      This will become the default after upgrading to jquery 3.0.0+

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                DevChu DevChu
                Reporter:
                cor3000 cor3000
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h