Harden JS by disabling jQuery eval

Disable execution of eval in jQuery. We do require an allowed eval CSP
configuration at the moment for handlebars et al. But for jQuery there is
not much of a reason to execute JavaScript directly via eval.

This thus mitigates some unexpected XSS vectors. As example try to insert
`$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');`
with and without this patch in your browsers JS console when the file list
is opened.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-03-16 23:03:02 +01:00
parent c4fe36cc02
commit 148e7abb51
No known key found for this signature in database
GPG key ID: B9F6980CF6E759B1

View file

@ -1264,6 +1264,15 @@ function initCore() {
}
});
/**
* Disable execution of eval in jQuery. We do require an allowed eval CSP
* configuration at the moment for handlebars et al. But for jQuery there is
* not much of a reason to execute JavaScript directly via eval.
*
* This thus mitigates some unexpected XSS vectors.
*/
jQuery.globalEval = function(){};
/**
* Set users locale to moment.js as soon as possible
*/