globalEval assumes JavaScript is being evaluated

[ScottyH]

globalEval assumes that the data argument contains JavaScript. In some (obscure) cases, globalEval may be called when attempting to evaluate a VBScript node through a dom manipulation call (e.g. append()).

I'm not even sure it's worth the added file size to do this check and change the script node's type, but it seems worth mentioning.

[snover]

Are you sure? Every place I see in jQuery that calls globalEval does so only if the script type contains the word “javascript”. Please provide a test case.

[ScottyH]

The problem is on line 4493 of 1.4.2. Specifically this expression, in the if condition:

!ret[i].type

The VBScript node could decide not to use the type attribute, and instead use language="VBScript".

(Trying to figure out how to attach an example)

[ScottyH]

<html>
	<head>
		<title></title>
	</head>
	<body>
		<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js"></script>
		<script type="text/javascript">		
			var vbdetect = '<scr' + 'ipt language="VBScript">\n';
			vbdetect += "on error resume next\n";
			vbdetect += 'If Not(IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5"))) Then\n';
			vbdetect += "Else\n";
			vbdetect += "hasFlash = true\n";
			vbdetect += "End If\n";
			vbdetect += '</scr' + 'ipt>\n';
	
			$("head").append(vbdetect);
		</script>
	</body>
</html>

[dmethvin]

Since VBScript is only supported by IE, there wouldn't be much benefit to supporting it through jQuery where we're struggling mightily to make things work across browsers. For a situation like this you can rewrite the snippet in Javascript or forego jQuery and evaluate the code with an IE-specific function.