24 } |
24 } |
25 } |
25 } |
26 return jquery_init.call(this, selector, context, rootjQuery); |
26 return jquery_init.call(this, selector, context, rootjQuery); |
27 }; |
27 }; |
28 $.fn.init.prototype = jquery_init.prototype; |
28 $.fn.init.prototype = jquery_init.prototype; |
|
29 |
|
30 /** |
|
31 * Pre-filter Ajax requests to guard against XSS attacks. |
|
32 * |
|
33 * See https://github.com/jquery/jquery/issues/2432 |
|
34 */ |
|
35 if ($.ajaxPrefilter) { |
|
36 // For newer versions of jQuery, use an Ajax prefilter to prevent |
|
37 // auto-executing script tags from untrusted domains. This is similar to the |
|
38 // fix that is built in to jQuery 3.0 and higher. |
|
39 $.ajaxPrefilter(function (s) { |
|
40 if (s.crossDomain) { |
|
41 s.contents.script = false; |
|
42 } |
|
43 }); |
|
44 } |
|
45 else if ($.httpData) { |
|
46 // For the version of jQuery that ships with Drupal core, override |
|
47 // jQuery.httpData to prevent auto-detecting "script" data types from |
|
48 // untrusted domains. |
|
49 var jquery_httpData = $.httpData; |
|
50 $.httpData = function (xhr, type, s) { |
|
51 // @todo Consider backporting code from newer jQuery versions to check for |
|
52 // a cross-domain request here, rather than using Drupal.urlIsLocal() to |
|
53 // block scripts from all URLs that are not on the same site. |
|
54 if (!type && !Drupal.urlIsLocal(s.url)) { |
|
55 var content_type = xhr.getResponseHeader('content-type') || ''; |
|
56 if (content_type.indexOf('javascript') >= 0) { |
|
57 // Default to a safe data type. |
|
58 type = 'text'; |
|
59 } |
|
60 } |
|
61 return jquery_httpData.call(this, xhr, type, s); |
|
62 }; |
|
63 $.httpData.prototype = jquery_httpData.prototype; |
|
64 } |
29 |
65 |
30 /** |
66 /** |
31 * Attach all registered behaviors to a page element. |
67 * Attach all registered behaviors to a page element. |
32 * |
68 * |
33 * Behaviors are event-triggered actions that attach to page elements, enhancing |
69 * Behaviors are event-triggered actions that attach to page elements, enhancing |
135 * |
171 * |
136 * @ingroup sanitization |
172 * @ingroup sanitization |
137 */ |
173 */ |
138 Drupal.checkPlain = function (str) { |
174 Drupal.checkPlain = function (str) { |
139 var character, regex, |
175 var character, regex, |
140 replace = { '&': '&', '"': '"', '<': '<', '>': '>' }; |
176 replace = { '&': '&', "'": ''', '"': '"', '<': '<', '>': '>' }; |
141 str = String(str); |
177 str = String(str); |
142 for (character in replace) { |
178 for (character in replace) { |
143 if (replace.hasOwnProperty(character)) { |
179 if (replace.hasOwnProperty(character)) { |
144 regex = new RegExp(character, 'g'); |
180 regex = new RegExp(character, 'g'); |
145 str = str.replace(regex, replace[character]); |
181 str = str.replace(regex, replace[character]); |