Skip to content
Snippets Groups Projects
Unverified Commit 148e7abb authored by Lukas Reschke's avatar Lukas Reschke
Browse files

Harden JS by disabling jQuery eval 


Disable execution of eval in jQuery. We do require an allowed eval CSP
configuration at the moment for handlebars et al. But for jQuery there is
not much of a reason to execute JavaScript directly via eval.

This thus mitigates some unexpected XSS vectors. As example try to insert
`$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');`
with and without this patch in your browsers JS console when the file list
is opened.

Signed-off-by: default avatarLukas Reschke <lukas@statuscode.ch>
parent c4fe36cc
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 9 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment