Skip to main content

Bug Tracker

Side navigation

#6307 closed bug (wontfix)

Opened March 18, 2010 12:39PM UTC

Closed April 17, 2011 05:28PM UTC

Last modified March 14, 2012 01:16AM UTC

jQuery .load() does not execute scripts when called with a selector in the URL

Reported by: Pointy Owned by: Pointy
Priority: low Milestone:
Component: ajax Version: 1.6b1
Keywords: neededdocs Cc:
Blocked by: Blocking:
Description

The ".load()" API always removes script blocks from the markup loaded into the document. However, when called with a plain URL lacking a suffixed selector expression, the loaded content is handed to the ".html()" API before scripts are removed, and that code takes care to save and execute the stripped-out script blocks before throwing them away. When called with a selector expression appended to the URL, the scripts are stripped out before the DOM is updated and so are never executed.

Note that in both cases I'm talking about script blocks within the content actually loaded into the target DOM. In the first case, that's obvious, because the content returned from the xhr is always loaded in its entirety. In the second case, that of there being a selector at the end of the URL, I'm talking about script blocks within the response portion chosen by the selector.

This is not a subtle issue and it's trivial to demonstrate by example, and the cause is quite obvious in the "load()" code. It may be that there's a good reason for the difference in behavior, but there's no mention of how scripts are handled by "load()" in the documentation.

Attachments (0)
Change History (10)

Changed November 10, 2010 07:55PM UTC by addyosmani comment:1

owner: → Pointy
priority: → low
status: newpending

Can you please provide us a test case reproducing the issue that you've encountered on jsFiddle?. Once this has been done we will be better able to assist in narrowing down the cause and solution to the problem. Thanks.

Changed November 10, 2010 08:12PM UTC by Pointy comment:2

status: pendingnew

I can't provide a jsFiddle example, because I can't use $.load properly from that domain. I will, however, provide a test case elsewhere and post the URL here when it's done.

Changed November 10, 2010 08:25PM UTC by Pointy comment:3

You can see a simple test page here:

http://gutfullofbeer.net/jquery6307/container.html

Changed November 11, 2010 02:47PM UTC by SlexAxton comment:4

keywords: → script execution, load
milestone: 1.4.31.5
status: newopen

Seems valid. I can verify on my machine. I suppose we should prevent scripts from running in _all_ cases?

Changed November 11, 2010 03:15PM UTC by Pointy comment:5

Well dropping support for script execution on loaded content might cause half the internet to stop working, seems like. As far as I'm concerned, documenting the difference (and explaining why it's hard/unpleasant to change) would suffice.

Changed December 27, 2010 10:37PM UTC by rwaldron comment:6

keywords: script execution, loadscript,execution,load,ajaxrewrite

Changed April 01, 2011 09:14PM UTC by fealls@gmail.com comment:7

no SlexAxton, that's not a good alternative, some of us relay on that functionality deeply, but it would be good to just document the difference like Pointy said.

Changed April 08, 2011 06:04PM UTC by sibidiba comment:8

Interesting finding! I believe this bug goes much further than that! There is exactly zero documentation about how script blocks are handled when using $.html() or $.load() . Take into account that executing script blocks during DOM manipulation is definitely a security issue. I'm sure many devs would like to know what to expect and how to switch it on/off.

Changed April 17, 2011 05:28PM UTC by timmywil comment:9

keywords: script,execution,load,ajaxrewritescript,execution,load,ajaxrewrite,needsdocs
resolution: → wontfix
status: openclosed
version: 1.4.21.6b1

Confirmed this is still present in 1.6b1. I think we just need to document the different behavior of load.

Changed June 13, 2011 05:32AM UTC by addyosmani comment:10

keywords: script,execution,load,ajaxrewrite,needsdocsneededdocs

The docs for this have been updated to reflect the changes mentioned.