Merge pull request #3874 from nextcloud/harden-js-by-disabling-eval-execution

Harden JS by disabling jQuery eval

core/js/js.js

@@ -1264,6 +1264,15 @@ function initCore() {
 		}
 	});
 
+	/**
+	 * Disable execution of eval in jQuery. We do require an allowed eval CSP
+	 * configuration at the moment for handlebars et al. But for jQuery there is
+	 * not much of a reason to execute JavaScript directly via eval.
+	 *
+	 * This thus mitigates some unexpected XSS vectors.
+	 */
+	jQuery.globalEval = function(){};
+
 	/**
 	 * Set users locale to moment.js as soon as possible
 	 */