compdemocracy · navnitan-7 · Apr 1, 2026
diff --git a/client-participation/js/3rdparty/jquery.js b/client-participation/js/3rdparty/jquery.js
@@ -8288,6 +8288,11 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
 			// Convert response if prev dataType is non-auto and differs from current
 			} else if ( prev !== "*" && prev !== current ) {
 
+				// Mitigate possible XSS vulnerability (gh-2432)
+				if ( s.crossDomain && current === "script" ) {
+					continue;
+				}
+
 				// Seek a direct converter
 				conv = converters[ prev + " " + current ] || converters[ "* " + current ];
 

diff --git a/client-participation/package.json b/client-participation/package.json
@@ -2,6 +2,7 @@
   "name": "polis-client-participation",
   "version": "1.0.0",
   "scripts": {
+    "test": "node scripts/verify-jquery-cve-2015-9251.cjs",
     "start": "npm run dev",
     "analyze": "webpack --mode=production --analyze",
     "build": "npm run build:prod",

diff --git a/client-participation/scripts/verify-jquery-cve-2015-9251.cjs b/client-participation/scripts/verify-jquery-cve-2015-9251.cjs
@@ -0,0 +1,20 @@
+"use strict";
+
+/**
+ * Regression guard for CVE-2015-9251 mitigation in vendored jQuery (ajaxConvert).
+ * @see https://github.com/jquery/jquery/commit/2546bb35b89413da5198d54a4539e4ed0aaf6e49
+ */
+const fs = require("fs");
+const path = require("path");
+
+const jqueryPath = path.join(__dirname, "..", "js", "3rdparty", "jquery.js");
+const src = fs.readFileSync(jqueryPath, "utf8");
+
+if (!src.includes('s.crossDomain && current === "script"')) {
+  console.error(
+    "verify-jquery-cve-2015-9251: expected gh-2432 / CVE-2015-9251 guard in ajaxConvert"
+  );
+  process.exit(1);
+}
+
+console.log("verify-jquery-cve-2015-9251: ok");