"docs/git@forge.tedomum.net:tedomum/synapse.git" did not exist on "aeeca2a62ebfb601efa7930acae0897c8d3e43df"
-
Lukas Reschke authoredDisable execution of eval in jQuery. We do require an allowed eval CSP configuration at the moment for handlebars et al. But for jQuery there is not much of a reason to execute JavaScript directly via eval. This thus mitigates some unexpected XSS vectors. As example try to insert `$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');` with and without this patch in your browsers JS console when the file list is opened. Signed-off-by:
Lukas Reschke <lukas@statuscode.ch>Lukas Reschke authoredDisable execution of eval in jQuery. We do require an allowed eval CSP configuration at the moment for handlebars et al. But for jQuery there is not much of a reason to execute JavaScript directly via eval. This thus mitigates some unexpected XSS vectors. As example try to insert `$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');` with and without this patch in your browsers JS console when the file list is opened. Signed-off-by:Lukas Reschke <lukas@statuscode.ch>