Side navigation
#11323 closed bug (fixed)
Opened February 10, 2012 08:51PM UTC
Closed March 03, 2012 03:13AM UTC
Last modified March 03, 2012 03:27AM UTC
script tags with type="text/ecmascript" leak into the DOM
| Reported by: | gibson042 | Owned by: | rwaldron |
|---|---|---|---|
| Priority: | low | Milestone: | 1.7.2 |
| Component: | manipulation | Version: | 1.7.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
jQuery.clean has inconsistent logic for adding script elements to the result set vs. moving them into the scripts array: the former checks for no type or "text/javascript" or "text/ecmascript"; the latter only for no type or "text/javascript". As a result, those with type "text/ecmascript" are erroneously added to the result fragment and ultimately to the DOM.
Attachments (0)
Change History (9)
Changed February 10, 2012 09:01PM UTC by comment:1
| resolution: | → wontfix |
|---|---|
| status: | new → closed |
Changed February 10, 2012 09:03PM UTC by comment:2
So we should remove it from rscriptType, right?
Changed February 10, 2012 09:04PM UTC by comment:3
Ideally we'd only remove script tags if the browser was going to "execute" them. I wonder if there is a simple feature detect for that. Or is it better to consistently remove scripts even if they aren't executed on the current browser? Seems like it's a dontcare if it doesn't execute.
Changed February 10, 2012 09:06PM UTC by comment:4
| resolution: | wontfix |
|---|---|
| status: | closed → reopened |
ugh. I didn't actually mean to select "wont fix"
Changed February 10, 2012 09:24PM UTC by comment:5
| component: | unfiled → manipulation |
|---|---|
| priority: | undecided → low |
| status: | reopened → open |
Changed February 10, 2012 09:32PM UTC by comment:6
Changed February 10, 2012 09:44PM UTC by comment:7
| owner: | → rwaldron |
|---|---|
| status: | open → assigned |
As I said in the PR:
This does way more then address the bug in the ticket... I'm sorry, but after I re-opened the ticket, I wrote a test and tiny patch for this that only addresses the bug in question.
Minimal patch, directly addresses issue, includes tests: https://github.com/jquery/jquery/pull/681
Changed March 03, 2012 03:13AM UTC by comment:8
| resolution: | → fixed |
|---|---|
| status: | assigned → closed |
Fix #11323. Consistently use rscriptType in jQuery.clean()
Changeset: f0732c1e4138342c96e35ff51d5cd681b6cfdb94
Changed March 03, 2012 03:27AM UTC by comment:9
| milestone: | None → 1.7.2 |
|---|
RFC 4326 Defines "text/ecmascript" as obsolete