jQuery Security Patch
/* Original code. | |
* Copyright 2005, 2013 jQuery Foundation, Inc. and other contributors | |
* Released under the MIT license | |
* http://jquery.org/license | |
*/ | |
// This is designed to be used via RequireJS, but you can also just copy the code inside and execute it after you load jQuery. | |
// TODO(devd): modify this code to automatically detect absence of AMD environment and do the right thing. | |
define(["jquery"], function(jQuery) { | |
jQuery.fn.domManip = function (args, callback, allowIntersection) { | |
// XXX(devd): redefine internal functions disableScript, getAll, restoreScript | |
// because they are called by domManip. Copied directly from jquery code | |
var disableScript = function (elem) { | |
elem.type = (jQuery.find.attr(elem, "type") !== null) + "/" + elem.type; | |
return elem; | |
}; | |
var getAll = function (context, tag) { | |
var elems, elem, i = 0, | |
core_strundefined = typeof undefined, | |
found = typeof context.getElementsByTagName !== core_strundefined ? context.getElementsByTagName(tag || "*") : typeof context.querySelectorAll !== core_strundefined ? context.querySelectorAll(tag || "*") : undefined; | |
if (!found) { | |
for (found = [], elems = context.childNodes || context; | |
(elem = elems[i]) != null; i++) { | |
if (!tag || jQuery.nodeName(elem, tag)) { | |
found.push(elem); | |
} else { | |
jQuery.merge(found, getAll(elem, tag)); | |
} | |
} | |
} | |
return tag === undefined || tag && jQuery.nodeName(context, tag) ? jQuery.merge([context], found) : found; | |
}; | |
var restoreScript = function ( elem ) { | |
var match = /^true\/(.*)/.exec( elem.type ); | |
if ( match ) { | |
elem.type = match[1]; | |
} else { | |
elem.removeAttribute("type"); | |
} | |
return elem; | |
}; | |
// Flatten any nested arrays | |
// XXX(devd): use [].concat instead of core_concat reference, since we can't refer it directly | |
args = ([].concat).apply([], args); | |
var first, node, hasScripts, | |
scripts, doc, fragment, _ref, | |
i = 0, | |
l = this.length, | |
set = this, | |
iNoClone = l - 1, | |
value = args[0], | |
isFunction = jQuery.isFunction(value); | |
// We can't cloneNode fragments that contain checked, in WebKit | |
if (isFunction || !(l <= 1 || typeof value !== "string" || jQuery.support.checkClone || !rchecked.test(value))) { | |
return this.each(function (index) { | |
var self = set.eq(index); | |
if (isFunction) { | |
args[0] = value.call(this, index, self.html()); | |
} | |
self.domManip(args, callback, allowIntersection); | |
}); | |
} | |
if (l) { | |
fragment = jQuery.buildFragment(args, this[0].ownerDocument, false, !allowIntersection && this); | |
first = fragment.firstChild; | |
if (fragment.childNodes.length === 1) { | |
fragment = first; | |
} | |
if (first) { | |
scripts = jQuery.map(getAll(fragment, "script"), disableScript); | |
hasScripts = scripts.length; | |
// Use the original fragment for the last item instead of the first because it can end up | |
// being emptied incorrectly in certain situations (#8070). | |
for (; i < l; i++) { | |
node = fragment; | |
if (i !== iNoClone) { | |
node = jQuery.clone(node, true, true); | |
// Keep references to cloned scripts for later restoration | |
if (hasScripts) { | |
jQuery.merge(scripts, getAll(node, "script")); | |
} | |
} | |
callback.call(this[i], node, i); | |
} | |
if (hasScripts) { | |
doc = scripts[scripts.length - 1].ownerDocument; | |
// Reenable scripts | |
jQuery.map(scripts, restoreScript); | |
// Evaluate executable scripts on first document insertion | |
for (i = 0; i < hasScripts; i++) { | |
node = scripts[i]; | |
// XXX(devd): Dropbox hack. This stops domManip (and thus, html(), append() and so on) from eval'ing script tags unless they know the CSP SCRIPT NONCE | |
// defined in Constants.CSP_SCRIPT_NONCE. Since we use unsafe-eval, this prevents a trivial bypass of our inline script protections. | |
if ((((_ref = window.Constants) != null ? _ref.CSP_SCRIPT_NONCE : void 0) != null) && window.Constants.CSP_SCRIPT_NONCE !== node.getAttribute('nonce')) { | |
console.error("Refused to execute script from node "+ node +" because Constants.CSP_SCRIPT_NONCE is defined and the nonce doesn't match."); | |
continue; | |
} | |
// XXX(devd): the regex rscripttype defined in the jQuery source code is used directly here | |
if (/^$|\/(?:java|ecma)script/i.test(node.type || "") && !jQuery._data(node, "globalEval") && jQuery.contains(doc, node)) { | |
if (node.src) { | |
// Hope ajax is available... | |
jQuery._evalUrl(node.src); | |
} else { | |
jQuery.globalEval((node.text || node.textContent || node.innerHTML || "").replace(/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g, "")); | |
} | |
} | |
} | |
} | |
// Fix #11809: Avoid leaking memory | |
fragment = first = null; | |
} | |
} | |
return this; | |
}; | |
// XXX(devd): make sure jQuery.ajax doesn't try to eval script | |
jQuery.ajaxSettings.converters["text script"] = true | |
return jQuery; | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Hi,
Do I need to just copy the above code in my custom.js in document.ready? Please suggest.
Thanks,
Vikram