From fcdf0e4a604ba9ea36221824e478e1748b9f789a Mon Sep 17 00:00:00 2001
From: navnitan-7 <snavnitan@gmail.com>
Date: Tue, 31 Mar 2026 10:06:21 +0530
Subject: [PATCH] fix: mitigate CVE-2015-9251 in vendored jQuery ajax

Skip script conversion on cross-domain responses unless dataType
is explicitly script, matching jquery/jquery@2546bb35 (gh-2432).

Made-with: Cursor
---
 extension/js/jquery.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/extension/js/jquery.js b/extension/js/jquery.js
index 98cd95a..1392065 100644
--- a/extension/js/jquery.js
+++ b/extension/js/jquery.js
@@ -9226,6 +9226,11 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
 			// Convert response if prev dataType is non-auto and differs from current
 			} else if ( prev !== "*" && prev !== current ) {
 
+				// Mitigate possible XSS vulnerability (gh-2432)
+				if ( s.crossDomain && current === "script" ) {
+					continue;
+				}
+
 				// Seek a direct converter
 				conv = converters[ prev + " " + current ] || converters[ "* " + current ];