Bug Tracker

Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#11323 closed bug (fixed)

script tags with type="text/ecmascript" leak into the DOM

Reported by: gibson042 Owned by: rwaldron
Priority: low Milestone: 1.7.2
Component: manipulation Version: 1.7.1
Keywords: Cc:
Blocked by: Blocking:

Description

http://jsfiddle.net/GaSua/

jQuery.clean has inconsistent logic for adding script elements to the result set vs. moving them into the scripts array: the former checks for no type or "text/javascript" or "text/ecmascript"; the latter only for no type or "text/javascript". As a result, those with type "text/ecmascript" are erroneously added to the result fragment and ultimately to the DOM.

Change History (9)

comment:1 Changed 5 years ago by rwaldron

  • Resolution set to wontfix
  • Status changed from new to closed

RFC 4326 Defines "text/ecmascript" as obsolete

comment:2 Changed 5 years ago by gibson042

So we should remove it from rscriptType, right?

comment:3 Changed 5 years ago by dmethvin

Ideally we'd only remove script tags if the browser was going to "execute" them. I wonder if there is a simple feature detect for that. Or is it better to consistently remove scripts even if they aren't executed on the current browser? Seems like it's a dontcare if it doesn't execute.

comment:4 Changed 5 years ago by rwaldron

  • Resolution wontfix deleted
  • Status changed from closed to reopened

ugh. I didn't actually mean to select "wont fix"

comment:5 Changed 5 years ago by rwaldron

  • Component changed from unfiled to manipulation
  • Priority changed from undecided to low
  • Status changed from reopened to open

comment:7 Changed 5 years ago by rwaldron

  • Owner set to rwaldron
  • Status changed from open to assigned

As I said in the PR:

This does way more then address the bug in the ticket... I'm sorry, but after I re-opened the ticket, I wrote a test and tiny patch for this that only addresses the bug in question.

Minimal patch, directly addresses issue, includes tests: https://github.com/jquery/jquery/pull/681

comment:8 Changed 4 years ago by Rick Waldron waldron.rick@…

  • Resolution set to fixed
  • Status changed from assigned to closed

Fix #11323. Consistently use rscriptType in jQuery.clean()

Changeset: f0732c1e4138342c96e35ff51d5cd681b6cfdb94

comment:9 Changed 4 years ago by dmethvin

  • Milestone changed from None to 1.7.2
Note: See TracTickets for help on using tickets.