Merge pull request #29 from vikingco/bugfix/MVP-16063/extra-xss-preve…

…ntion Improve XSS protection
vikingco · Nov 30, 2017 · ae1992b · ae1992b
2 parents e9aa040 + 329eb1d
commit ae1992b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/django_ajax/static/ajax-utilities/js/pagination.js b/django_ajax/static/ajax-utilities/js/pagination.js
@@ -52,8 +52,9 @@ var Pagination = new function() {
 
             function ajax(url, handler) {
                 // URL should start with a slash, but cannot start with two slashes.
+		// we cannot start with "/\". Modern browsers handle backslashes as normal slashes.
                 // (Otherwise we have an XSS vulnerability.)
-                if (url[0] != '/' || url[1] == '/')
+                if (url[0] != '/' || url[1] == '/' || url.startsWith("/\\")
                     url = (''+location).replace( /[#\?].*/, '') + url;
 
                 // Append 'xhr' to make sure all content is loaded.