Merge pull request #3874 from nextcloud/harden-js-by-disabling-eval-execution
Harden JS by disabling jQuery eval
This commit is contained in:
Roeland Jago Douma
GitHub
commit
7a3acff782
|
|
@ -1264,6 +1264,15 @@ function initCore() {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Disable execution of eval in jQuery. We do require an allowed eval CSP
|
||||||
|
* configuration at the moment for handlebars et al. But for jQuery there is
|
||||||
|
* not much of a reason to execute JavaScript directly via eval.
|
||||||
|
*
|
||||||
|
* This thus mitigates some unexpected XSS vectors.
|
||||||
|
*/
|
||||||
|
jQuery.globalEval = function(){};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set users locale to moment.js as soon as possible
|
* Set users locale to moment.js as soon as possible
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue