Side navigation
#1611 closed bug (patchwelcome)
Opened September 13, 2007 02:48PM UTC
Closed January 02, 2011 10:50PM UTC
Last modified March 14, 2012 03:40AM UTC
inserting html into iframe evals scripts in parent context
| Reported by: | codekitchen | Owned by: | john |
|---|---|---|---|
| Priority: | major | Milestone: | 1.5 |
| Component: | ajax | Version: | 1.4.4 |
| Keywords: | ajaxrewrite | Cc: | |
| Blocked by: | Blocking: |
Description
Related to the new contents() function in jQuery 1.2, domManip doesn't have any idea that the HTML snippet you are inserting is going into an iframe on the page, and it evals any script tags in the parent context, not the iframe context. For example:
$.get("/some/page", function(h) {
$("iframe").contents().find("#remote").append(h)
})
If the html returned by the ajax request has any script tags, those will be eval'd in the full page even though the html is inserted into the iframe. This happens regardless of whether the html comes from an ajax request or whatever, of course.
Attachments (0)
Change History (5)
Changed January 08, 2009 05:05AM UTC by comment:1
| owner: | → john |
|---|
Changed November 17, 2010 01:12AM UTC by comment:2
| component: | core → ajax |
|---|---|
| status: | new → open |
Changed November 25, 2010 11:06PM UTC by comment:3
| milestone: | 1.2.1 → 1.5 |
|---|---|
| version: | 1.2 → 1.4.4 |
test case for completeness
Changed December 27, 2010 10:36PM UTC by comment:4
| keywords: | → ajaxrewrite |
|---|
Changed January 02, 2011 10:50PM UTC by comment:5
| resolution: | → patchwelcome |
|---|---|
| status: | open → closed |
I believe we decided we are not going to go out of our way to provide fixes for cross-frame activity, such as that which is being described here. This can be reopened by someone else on the team if this is not the case. We’ll be happy to accept any reasonable patches, however.
This is a close cousin of #3105, but with the twist regarding an iframe.