Merge pull request #3874 from nextcloud/harden-js-by-disabling-eval-execution

Harden JS by disabling jQuery eval
2017-03-17 08:31:12 +01:00 · 2017-03-17 08:31:12 +01:00 · 7a3acff782
parent 88e68b5058 148e7abb51
commit 7a3acff782
1 changed files with 9 additions and 0 deletions
--- a/core/js/js.js
+++ b/core/js/js.js
@ -1264,6 +1264,15 @@ function initCore() {
 		}
 	});

+	/**
+	 * Disable execution of eval in jQuery. We do require an allowed eval CSP
+	 * configuration at the moment for handlebars et al. But for jQuery there is
+	 * not much of a reason to execute JavaScript directly via eval.
+	 *
+	 * This thus mitigates some unexpected XSS vectors.
+	 */
+	jQuery.globalEval = function(){};
+
 	/**
 	 * Set users locale to moment.js as soon as possible
 	 */