Ticket #1611 (closed bug: patchwelcome)
inserting html into iframe evals scripts in parent context
| Reported by: | codekitchen | Owned by: | john |
|---|---|---|---|
| Priority: | major | Milestone: | 1.5 |
| Component: | ajax | Version: | 1.4.4 |
| Keywords: | ajaxrewrite | Cc: | |
| Blocking: | Blocked by: |
Description
Related to the new contents() function in jQuery 1.2, domManip doesn't have any idea that the HTML snippet you are inserting is going into an iframe on the page, and it evals any script tags in the parent context, not the iframe context. For example:
$.get("/some/page", function(h) {
$("iframe").contents().find("#remote").append(h)
})
If the html returned by the ajax request has any script tags, those will be eval'd in the full page even though the html is inserted into the iframe. This happens regardless of whether the html comes from an ajax request or whatever, of course.
Change History
comment:2 Changed 3 years ago by dmethvin
- Status changed from new to open
- Component changed from core to ajax
comment:3 Changed 3 years ago by jitter
- Version changed from 1.2 to 1.4.4
- Milestone changed from 1.2.1 to 1.5
test case for completeness
comment:5 Changed 2 years ago by snover
- Status changed from open to closed
- Resolution set to patchwelcome
I believe we decided we are not going to go out of our way to provide fixes for cross-frame activity, such as that which is being described here. This can be reopened by someone else on the team if this is not the case. We’ll be happy to accept any reasonable patches, however.
Please follow the bug reporting guidlines and use jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.
This is a close cousin of #3105, but with the twist regarding an iframe.