From fdfa63add2a80686acdcba72e4f24af9aa900eb7 Mon Sep 17 00:00:00 2001
From: Denis Ryabov <dryabov@yandex.ru>
Date: Mon, 6 May 2019 09:24:30 +0300
Subject: [PATCH] Check Content-Type header before parsing AJAX response as
 HTML

Fix for issue #8640 (possible XSS vulnerability)
---
 js/widgets/pagecontainer.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/js/widgets/pagecontainer.js b/js/widgets/pagecontainer.js
index 6e973688caf..5e3272e9779 100644
--- a/js/widgets/pagecontainer.js
+++ b/js/widgets/pagecontainer.js
@@ -564,6 +564,15 @@ $.widget( "mobile.pagecontainer", {
 
 		return $.proxy( function( html, textStatus, xhr ) {
 
+			// Check that Content-Type is "text/html" (https://github.com/jquery/jquery-mobile/issues/8640)
+			if ( !/^text\/html\b/.test( xhr.getResponseHeader('Content-Type') ) ) {
+				// Display error message for unsupported content type
+				if ( settings.showLoadMsg ) {
+					this._showError();
+				}
+				return;
+			}
+
 			// Pre-parse html to check for a data-url, use it as the new fileUrl, base path, etc
 			var content,