Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-3724

jquery issue - Ajax: Mitigate possible XSS vulnerability

    XMLWordPrintable

Details

    Description

      https://nvd.nist.gov/vuln/detail/CVE-2015-9251

      The issue can be fixed by changing the default jquery configuration as shown below:

      ZK seems not affected by this (the commented out log statement doesn't execute in during ZK requests)

      	jq.ajaxPrefilter(function( s ) {
		//console.log("triggered ajaxPrefilter", s);
		if (s.crossDomain) {
			s.contents.script = false;
		}
	});

      see https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

      This will become the default after upgrading to jquery 3.0.0+

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. ZK-4557 re-add fix for ZK-3724

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. ZK-3719 upgrade jquery version to 1.12.4

          • Later - No solution found yet.
          • Closed

          Activity

            People

              DevChu DevChu
              cor3000 cor3000
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h