From ad358fd62b0ab548abe379594ea00441940461f6 Mon Sep 17 00:00:00 2001 From: Oleg Gaidarenko Date: Wed, 11 Nov 2015 18:55:44 +0300 Subject: [PATCH] Revert "Ajax: Mitigate possible XSS vulnerability" This reverts commit b078a62013782c7424a4a61a240c23c4c0b42614. --- src/ajax.js | 2 +- src/ajax/script.js | 7 ------- test/unit/ajax.js | 48 ---------------------------------------------- 3 files changed, 1 insertion(+), 56 deletions(-) diff --git a/src/ajax.js b/src/ajax.js index bb69cf1d3..4feed36b5 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -223,7 +223,7 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) { if ( current ) { - // There's only work to do if current dataType is non-auto + // There's only work to do if current dataType is non-auto if ( current === "*" ) { current = prev; diff --git a/src/ajax/script.js b/src/ajax/script.js index 485ba397b..945bea9da 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -4,13 +4,6 @@ define( [ "../ajax" ], function( jQuery, document ) { -// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) -jQuery.ajaxPrefilter( function( s ) { - if ( s.crossDomain ) { - s.contents.script = false; - } -} ); - // Install script dataType jQuery.ajaxSetup( { accepts: { diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 4eb70cad8..8e7cc06f4 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,54 +71,6 @@ QUnit.module( "ajax", { }; } ); - ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { - return { - create: function( options ) { - options.crossDomain = true; - return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); - }, - success: function() { - assert.ok( true, "success" ); - }, - complete: function() { - assert.ok( true, "complete" ); - } - }; - } ); - - ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, - function( assert ) { - return { - create: function( options ) { - options.crossDomain = true; - options.dataType = "script"; - return jQuery.ajax( url( "data/script.php?header=ecma" ), options ); - }, - success: function() { - assert.ok( true, "success" ); - }, - complete: function() { - assert.ok( true, "complete" ); - } - }; - } - ); - - ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { - return { - create: function( options ) { - options.crossDomain = true; - return jQuery.ajax( url( "data/script.php" ), options ); - }, - success: function() { - assert.ok( true, "success" ); - }, - complete: function() { - assert.ok( true, "complete" ); - } - }; - } ); - ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { return { setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),