Commit ddda2afb authored by catch's avatar catch

Issue #2592925 by Fabianx, Sagar Ramgade: Harden drupalSettings selector...

Issue #2592925 by Fabianx, Sagar Ramgade: Harden drupalSettings selector against XSS when CSP is enabled
parent 4d4f76b9
......@@ -7,7 +7,8 @@
'use strict';
var settingsElement = document.querySelector('script[type="application/json"][data-drupal-selector="drupal-settings-json"]');
// Use direct child elements to harden against XSS exploits when CSP is on.
var settingsElement = document.querySelector('head > script[type="application/json"][data-drupal-selector="drupal-settings-json"], body > script[type="application/json"][data-drupal-selector="drupal-settings-json"]');
/**
* Variable generated by Drupal with all the configuration created from PHP.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment