/** * @copyright 2019 Christoph Wurst * * @author Christoph Wurst * @author John Molakvoæ * @author Roeland Jago Douma * * @license GNU AGPL version 3 or any later version * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . * */ import $ from 'jquery' import './avatar' import './contactsmenu' import './exists' import './filterattr' import './ocdialog' import './octemplate' import './placeholder' import './requesttoken' import './selectrange' import './showpassword' import './ui-fixes' import './css/jquery-ui-fixes.scss' import './css/jquery.ocdialog.scss' /** * Disable automatic evaluation of responses for $.ajax() functions (and its * higher-level alternatives like $.get() and $.post()). * * If a response to a $.ajax() request returns a content type of "application/javascript" * JQuery would previously execute the response body. This is a pretty unexpected * behaviour and can result in a bypass of our Content-Security-Policy as well as * multiple unexpected XSS vectors. */ $.ajaxSetup({ contents: { script: false, }, }) /** * Disable execution of eval in jQuery. We do require an allowed eval CSP * configuration at the moment for handlebars et al. But for jQuery there is * not much of a reason to execute JavaScript directly via eval. * * This thus mitigates some unexpected XSS vectors. */ $.globalEval = function() { }