diff --git a/core/js/js.js b/core/js/js.js
index c8907cdfc90b067dc0279389abeb9304ebd8281a..5c737d41793becdf58544b10baf2913d7036a2a8 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1264,6 +1264,15 @@ function initCore() {
 		}
 	});
 
+	/**
+	 * Disable execution of eval in jQuery. We do require an allowed eval CSP
+	 * configuration at the moment for handlebars et al. But for jQuery there is
+	 * not much of a reason to execute JavaScript directly via eval.
+	 *
+	 * This thus mitigates some unexpected XSS vectors.
+	 */
+	jQuery.globalEval = function(){};
+
 	/**
 	 * Set users locale to moment.js as soon as possible
 	 */