Skip to main content

Bug Tracker

Side navigation

#11323 closed bug (fixed)

Opened February 10, 2012 08:51PM UTC

Closed March 03, 2012 03:13AM UTC

Last modified March 03, 2012 03:27AM UTC

script tags with type="text/ecmascript" leak into the DOM

Reported by: gibson042 Owned by: rwaldron
Priority: low Milestone: 1.7.2
Component: manipulation Version: 1.7.1
Keywords: Cc:
Blocked by: Blocking:

jQuery.clean has inconsistent logic for adding script elements to the result set vs. moving them into the scripts array: the former checks for no type or "text/javascript" or "text/ecmascript"; the latter only for no type or "text/javascript". As a result, those with type "text/ecmascript" are erroneously added to the result fragment and ultimately to the DOM.

Attachments (0)
Change History (9)

Changed February 10, 2012 09:01PM UTC by rwaldron comment:1

resolution: → wontfix
status: newclosed

RFC 4326 Defines "text/ecmascript" as obsolete

Changed February 10, 2012 09:03PM UTC by gibson042 comment:2

So we should remove it from rscriptType, right?

Changed February 10, 2012 09:04PM UTC by dmethvin comment:3

Ideally we'd only remove script tags if the browser was going to "execute" them. I wonder if there is a simple feature detect for that. Or is it better to consistently remove scripts even if they aren't executed on the current browser? Seems like it's a dontcare if it doesn't execute.

Changed February 10, 2012 09:06PM UTC by rwaldron comment:4

resolution: wontfix
status: closedreopened

ugh. I didn't actually mean to select "wont fix"

Changed February 10, 2012 09:24PM UTC by rwaldron comment:5

component: unfiledmanipulation
priority: undecidedlow
status: reopenedopen

Changed February 10, 2012 09:32PM UTC by gibson042 comment:6

Changed February 10, 2012 09:44PM UTC by rwaldron comment:7

owner: → rwaldron
status: openassigned

As I said in the PR:

This does way more then address the bug in the ticket... I'm sorry, but after I re-opened the ticket, I wrote a test and tiny patch for this that only addresses the bug in question.

Minimal patch, directly addresses issue, includes tests:

Changed March 03, 2012 03:13AM UTC by Rick Waldron comment:8

resolution: → fixed
status: assignedclosed

Fix #11323. Consistently use rscriptType in jQuery.clean()

Changeset: f0732c1e4138342c96e35ff51d5cd681b6cfdb94

Changed March 03, 2012 03:27AM UTC by dmethvin comment:9

milestone: None1.7.2