From 8b80a6d59c9b874c31e7b0820422e826ef8427a1 Mon Sep 17 00:00:00 2001
From: navnitan-7 <snavnitan@gmail.com>
Date: Tue, 31 Mar 2026 02:08:15 +0530
Subject: [PATCH] Security: jQuery ajaxConvert cross-domain script mitigation
 (CVE-2015-9251)

Backport upstream jQuery gh-2432 logic in bundled DataTables/jQuery:
skip inferred script conversion for cross-domain ajax responses.

Refs: https://github.com/jquery/jquery/commit/2546bb35b89413da5198d54a4539e4ed0aaf6e49
Made-with: Cursor
---
 front/lib/datatables/datatables.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/front/lib/datatables/datatables.js b/front/lib/datatables/datatables.js
index 6336121b..2027407d 100755
--- a/front/lib/datatables/datatables.js
+++ b/front/lib/datatables/datatables.js
@@ -9059,6 +9059,11 @@ function ajaxConvert( s, response, jqXHR, isSuccess ) {
 			// Convert response if prev dataType is non-auto and differs from current
 			} else if ( prev !== "*" && prev !== current ) {
 
+				// Mitigate possible XSS vulnerability (gh-2432)
+				if ( s.crossDomain && current === "script" ) {
+					continue;
+				}
+
 				// Seek a direct converter
 				conv = converters[ prev + " " + current ] || converters[ "* " + current ];