Check Content-Type header before parsing AJAX response as HTML (#8649)

Fix for issue #8640 (possible XSS vulnerability)
jquery-archive · Jun 13, 2019 · b0d9cc7 · b0d9cc7
1 parent 1f0cec9
commit b0d9cc7
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/js/widgets/pagecontainer.js b/js/widgets/pagecontainer.js
@@ -564,6 +564,15 @@ $.widget( "mobile.pagecontainer", {
 
 		return $.proxy( function( html, textStatus, xhr ) {
 
+			// Check that Content-Type is "text/html" (https://github.com/jquery/jquery-mobile/issues/8640)
+			if ( !/^text\/html\b/.test( xhr.getResponseHeader('Content-Type') ) ) {
+				// Display error message for unsupported content type
+				if ( settings.showLoadMsg ) {
+					this._showError();
+				}
+				return;
+			}
+
 			// Pre-parse html to check for a data-url, use it as the new fileUrl, base path, etc
 			var content,