jquery issue - Ajax: Mitigate possible XSS vulnerability

XMLWordPrintable

    • None

      https://nvd.nist.gov/vuln/detail/CVE-2015-9251

      The issue can be fixed by changing the default jquery configuration as shown below:

      ZK seems not affected by this (the commented out log statement doesn't execute in during ZK requests)

      	jq.ajaxPrefilter(function( s ) {
		//console.log("triggered ajaxPrefilter", s);
		if (s.crossDomain) {
			s.contents.script = false;
		}
	});

      see https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

      This will become the default after upgrading to jquery 3.0.0+

            Assignee:
            DevChu
            Reporter:
            cor3000
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h