Issue #2592925 by Fabianx, Sagar Ramgade: Harden drupalSettings selector...

Issue #2592925 by Fabianx, Sagar Ramgade: Harden drupalSettings selector against XSS when CSP is enabled

core/misc/drupalSettingsLoader.js

@@ -7,7 +7,8 @@
 
   'use strict';
 
-  var settingsElement = document.querySelector('script[type="application/json"][data-drupal-selector="drupal-settings-json"]');
+  // Use direct child elements to harden against XSS exploits when CSP is on.
+  var settingsElement = document.querySelector('head > script[type="application/json"][data-drupal-selector="drupal-settings-json"], body > script[type="application/json"][data-drupal-selector="drupal-settings-json"]');
 
   /**
    * Variable generated by Drupal with all the configuration created from PHP.