Bug Tracker

Opened 7 years ago

Closed 6 years ago

Last modified 5 years ago

#6307 closed bug (wontfix)

jQuery .load() does not execute scripts when called with a selector in the URL

Reported by: Pointy Owned by: Pointy
Priority: low Milestone:
Component: ajax Version: 1.6b1
Keywords: neededdocs Cc:
Blocked by: Blocking:


The ".load()" API always removes script blocks from the markup loaded into the document. However, when called with a plain URL lacking a suffixed selector expression, the loaded content is handed to the ".html()" API before scripts are removed, and that code takes care to save and execute the stripped-out script blocks before throwing them away. When called with a selector expression appended to the URL, the scripts are stripped out before the DOM is updated and so are never executed.

Note that in both cases I'm talking about script blocks within the content actually loaded into the target DOM. In the first case, that's obvious, because the content returned from the xhr is always loaded in its entirety. In the second case, that of there being a selector at the end of the URL, I'm talking about script blocks within the response portion chosen by the selector.

This is not a subtle issue and it's trivial to demonstrate by example, and the cause is quite obvious in the "load()" code. It may be that there's a good reason for the difference in behavior, but there's no mention of how scripts are handled by "load()" in the documentation.

Change History (10)

comment:1 Changed 6 years ago by addyosmani

Owner: set to Pointy
Priority: low
Status: newpending

Can you please provide us a test case reproducing the issue that you've encountered on jsFiddle?. Once this has been done we will be better able to assist in narrowing down the cause and solution to the problem. Thanks.

comment:2 Changed 6 years ago by Pointy

Status: pendingnew

I can't provide a jsFiddle example, because I can't use $.load properly from that domain. I will, however, provide a test case elsewhere and post the URL here when it's done.

comment:3 Changed 6 years ago by Pointy

You can see a simple test page here:


comment:4 Changed 6 years ago by SlexAxton

Keywords: script execution load added
Status: newopen

Seems valid. I can verify on my machine. I suppose we should prevent scripts from running in _all_ cases?

comment:5 Changed 6 years ago by Pointy

Well dropping support for script execution on loaded content might cause half the internet to stop working, seems like. As far as I'm concerned, documenting the difference (and explaining why it's hard/unpleasant to change) would suffice.

comment:6 Changed 6 years ago by Rick Waldron

Keywords: ajaxrewrite added

comment:7 Changed 6 years ago by fealls@…

no SlexAxton, that's not a good alternative, some of us relay on that functionality deeply, but it would be good to just document the difference like Pointy said.

comment:8 Changed 6 years ago by sibidiba

Interesting finding! I believe this bug goes much further than that! There is exactly zero documentation about how script blocks are handled when using $.html() or $.load() . Take into account that executing script blocks during DOM manipulation is definitely a security issue. I'm sure many devs would like to know what to expect and how to switch it on/off.

comment:9 Changed 6 years ago by timmywil

Keywords: needsdocs added
Resolution: wontfix
Status: openclosed

Confirmed this is still present in 1.6b1. I think we just need to document the different behavior of load.

comment:10 Changed 6 years ago by addyosmani

Keywords: neededdocs added; script execution load ajaxrewrite needsdocs removed

The docs for this have been updated to reflect the changes mentioned.

Note: See TracTickets for help on using tickets.