Bug Tracker

Opened 13 years ago

Closed 9 years ago

Last modified 8 years ago

#1611 closed bug (patchwelcome)

inserting html into iframe evals scripts in parent context

Reported by: codekitchen Owned by: john
Priority: major Milestone: 1.5
Component: ajax Version: 1.4.4
Keywords: ajaxrewrite Cc:
Blocked by: Blocking:

Description

Related to the new contents() function in jQuery 1.2, domManip doesn't have any idea that the HTML snippet you are inserting is going into an iframe on the page, and it evals any script tags in the parent context, not the iframe context. For example: 

$.get("/some/page", function(h) {
  $("iframe").contents().find("#remote").append(h)
})

If the html returned by the ajax request has any script tags, those will be eval'd in the full page even though the html is inserted into the iframe. This happens regardless of whether the html comes from an ajax request or whatever, of course.

Change History (5)

comment:1 Changed 11 years ago by dmethvin

Owner: set to john

This is a close cousin of #3105, but with the twist regarding an iframe.

comment:2 Changed 9 years ago by dmethvin

Component: coreajax
Status: newopen

comment:3 Changed 9 years ago by jitter

Milestone: 1.2.11.5
Version: 1.21.4.4

test case for completeness

comment:4 Changed 9 years ago by Rick Waldron

Keywords: ajaxrewrite added

comment:5 Changed 9 years ago by snover

Resolution: patchwelcome
Status: openclosed

I believe we decided we are not going to go out of our way to provide fixes for cross-frame activity, such as that which is being described here. This can be reopened by someone else on the team if this is not the case. We’ll be happy to accept any reasonable patches, however.

Note: See TracTickets for help on using tickets.