Last active
January 23, 2019 17:12
-
-
Save adamwalter/1e449602a182be0a351752da389d36b3 to your computer and use it in GitHub Desktop.
Applies jQuery patch to fix CVE-2015-9251 in order to pass PCI compliance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Patch code | |
jQuery.ajaxPrefilter(function(s) { | |
if (s.crossDomain) { | |
s.contents.script = false; | |
} | |
}); | |
// Patch code (minified) | |
jQuery.ajaxPrefilter(function(n){n.crossDomain&&(n.contents.script=!1)}); | |
// XSS testing code | |
// This will trigger a non-malicious JS alert. | |
// Use it before and after the patch code to test effectiveness. | |
jQuery.get('https://sakurity.com/jqueryxss'); | |
/** | |
* WORDPRESS FIX | |
* The following snippet adds patch to page head immedately after jQuery loads. | |
*/ | |
// Applies jQuery 1.x patch to fix CVE-2015-9251 in order to pass PCI compliance. | |
// https://nvd.nist.gov/vuln/detail/CVE-2015-9251 | |
// https://github.com/jquery/jquery/issues/2432#issuecomment-403761229 | |
add_filter('script_loader_tag', function($tag, $handle, $src) { | |
if ('jquery' === $handle) { | |
$tag = $tag . "<script type='text/javascript'>jQuery.ajaxPrefilter(function(n){n.crossDomain&&(n.contents.script=!1)});</script>\n"; | |
} | |
return $tag; | |
}, 10, 3); | |
/** | |
* WORDPRESS TEST | |
* Prints test code after jQuery and patch have loaded. | |
* JS alert will not fire if patch applied successfully. | |
*/ | |
add_action('wp_head', function() { | |
echo '<script type="text/javascript">jQuery.get("https://sakurity.com/jqueryxss");</script>'; | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment