[security/229] Add ajax prefilter for crossdomain requests

SECURITY-229
author: Marc Alexander <admin@m-a-styles.de> 2018-12-11 21:28:29 +0100
committer: Marc Alexander <admin@m-a-styles.de> 2018-12-11 21:28:29 +0100
commit: 179c6067be3e792bb3bbfa304bf5ae1600b63989 (patch)
tree: 46b89922ed84e9379c51c47c1a6228144774888d /phpBB/assets/javascript
parent: 97c5861d5907c7476f3cd6cebcd690d04b64a5d9 (diff)
download: forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar
forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.gz
forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.bz2
forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.xz
forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/phpBB/assets/javascript/core.js b/phpBB/assets/javascript/core.js
index 02d7323dfb..5218a8c1be 100644
--- a/phpBB/assets/javascript/core.js
+++ b/phpBB/assets/javascript/core.js
@@ -20,6 +20,13 @@ var phpbbAlertTimer = null;
 
 phpbb.isTouch = (window && typeof window.ontouchstart !== 'undefined');
 
+// Add ajax pre-filter to prevent cross-domain script execution
+$.ajaxPrefilter(function(s) {
+	if (s.crossDomain) {
+		s.contents.script = false;
+	}
+});
+
 /**
  * Display a loading screen
  *
author	Marc Alexander <admin@m-a-styles.de>	2018-12-11 21:28:29 +0100
committer	Marc Alexander <admin@m-a-styles.de>	2018-12-11 21:28:29 +0100
commit	179c6067be3e792bb3bbfa304bf5ae1600b63989 (patch)
tree	46b89922ed84e9379c51c47c1a6228144774888d /phpBB/assets/javascript
parent	97c5861d5907c7476f3cd6cebcd690d04b64a5d9 (diff)
download	forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.gz forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.bz2 forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.tar.xz forums-179c6067be3e792bb3bbfa304bf5ae1600b63989.zip