Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-3724

jquery issue - Ajax: Mitigate possible XSS vulnerability

    XMLWordPrintable

Details

    Description

      https://nvd.nist.gov/vuln/detail/CVE-2015-9251

      The issue can be fixed by changing the default jquery configuration as shown below:

      ZK seems not affected by this (the commented out log statement doesn't execute in during ZK requests)

      	jq.ajaxPrefilter(function( s ) {
      		//console.log("triggered ajaxPrefilter", s);
      		if (s.crossDomain) {
      			s.contents.script = false;
      		}
      	});
      
      

      see https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

      This will become the default after upgrading to jquery 3.0.0+

      Attachments

        Issue Links

          Activity

            People

              DevChu DevChu
              cor3000 cor3000
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h