Skip to main content

Bug Tracker

Side navigation

#1611 closed bug (patchwelcome)

Opened September 13, 2007 02:48PM UTC

Closed January 02, 2011 10:50PM UTC

Last modified March 14, 2012 03:40AM UTC

inserting html into iframe evals scripts in parent context

Reported by: codekitchen Owned by: john
Priority: major Milestone: 1.5
Component: ajax Version: 1.4.4
Keywords: ajaxrewrite Cc:
Blocked by: Blocking:

Related to the new contents() function in jQuery 1.2, domManip doesn't have any idea that the HTML snippet you are inserting is going into an iframe on the page, and it evals any script tags in the parent context, not the iframe context. For example:

$.get("/some/page", function(h) {

If the html returned by the ajax request has any script tags, those will be eval'd in the full page even though the html is inserted into the iframe. This happens regardless of whether the html comes from an ajax request or whatever, of course.

Attachments (0)
Change History (5)

Changed January 08, 2009 05:05AM UTC by dmethvin comment:1

owner: → john

This is a close cousin of #3105, but with the twist regarding an iframe.

Changed November 17, 2010 01:12AM UTC by dmethvin comment:2

component: coreajax
status: newopen

Changed November 25, 2010 11:06PM UTC by jitter comment:3


test case for completeness

Changed December 27, 2010 10:36PM UTC by rwaldron comment:4

keywords: → ajaxrewrite

Changed January 02, 2011 10:50PM UTC by snover comment:5

resolution: → patchwelcome
status: openclosed

I believe we decided we are not going to go out of our way to provide fixes for cross-frame activity, such as that which is being described here. This can be reopened by someone else on the team if this is not the case. We’ll be happy to accept any reasonable patches, however.