Harden JS by disabling jQuery eval
Disable execution of eval in jQuery. We do require an allowed eval CSP configuration at the moment for handlebars et al. But for jQuery there is not much of a reason to execute JavaScript directly via eval. This thus mitigates some unexpected XSS vectors. As example try to insert `$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');` with and without this patch in your browsers JS console when the file list is opened. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
c4fe36cc02
commit
148e7abb51
1 changed files with 9 additions and 0 deletions
|
@ -1264,6 +1264,15 @@ function initCore() {
|
|||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* Disable execution of eval in jQuery. We do require an allowed eval CSP
|
||||
* configuration at the moment for handlebars et al. But for jQuery there is
|
||||
* not much of a reason to execute JavaScript directly via eval.
|
||||
*
|
||||
* This thus mitigates some unexpected XSS vectors.
|
||||
*/
|
||||
jQuery.globalEval = function(){};
|
||||
|
||||
/**
|
||||
* Set users locale to moment.js as soon as possible
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue