#6307 closed bug (wontfix)
jQuery .load() does not execute scripts when called with a selector in the URL
| Reported by: | Pointy | Owned by: | Pointy |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | ajax | Version: | 1.6b1 |
| Keywords: | neededdocs | Cc: | |
| Blocked by: | Blocking: |
Description
The ".load()" API always removes script blocks from the markup loaded into the document. However, when called with a plain URL lacking a suffixed selector expression, the loaded content is handed to the ".html()" API before scripts are removed, and that code takes care to save and execute the stripped-out script blocks before throwing them away. When called with a selector expression appended to the URL, the scripts are stripped out before the DOM is updated and so are never executed.
Note that in both cases I'm talking about script blocks within the content actually loaded into the target DOM. In the first case, that's obvious, because the content returned from the xhr is always loaded in its entirety. In the second case, that of there being a selector at the end of the URL, I'm talking about script blocks within the response portion chosen by the selector.
This is not a subtle issue and it's trivial to demonstrate by example, and the cause is quite obvious in the "load()" code. It may be that there's a good reason for the difference in behavior, but there's no mention of how scripts are handled by "load()" in the documentation.
Change History (10)
comment:1 Changed 7 years ago by
| Owner: | set to Pointy |
|---|---|
| Priority: | → low |
| Status: | new → pending |
comment:2 Changed 7 years ago by
| Status: | pending → new |
|---|
I can't provide a jsFiddle example, because I can't use $.load properly from that domain. I will, however, provide a test case elsewhere and post the URL here when it's done.
comment:4 Changed 7 years ago by
| Keywords: | script execution load added |
|---|---|
| Milestone: | 1.4.3 → 1.5 |
| Status: | new → open |
Seems valid. I can verify on my machine. I suppose we should prevent scripts from running in _all_ cases?
comment:5 Changed 7 years ago by
Well dropping support for script execution on loaded content might cause half the internet to stop working, seems like. As far as I'm concerned, documenting the difference (and explaining why it's hard/unpleasant to change) would suffice.
comment:6 Changed 7 years ago by
| Keywords: | ajaxrewrite added |
|---|
comment:7 Changed 6 years ago by
no SlexAxton, that's not a good alternative, some of us relay on that functionality deeply, but it would be good to just document the difference like Pointy said.
comment:8 Changed 6 years ago by
Interesting finding! I believe this bug goes much further than that! There is exactly zero documentation about how script blocks are handled when using $.html() or $.load() . Take into account that executing script blocks during DOM manipulation is definitely a security issue. I'm sure many devs would like to know what to expect and how to switch it on/off.
comment:9 Changed 6 years ago by
| Keywords: | needsdocs added |
|---|---|
| Resolution: | → wontfix |
| Status: | open → closed |
| Version: | 1.4.2 → 1.6b1 |
Confirmed this is still present in 1.6b1. I think we just need to document the different behavior of load.
comment:10 Changed 6 years ago by
| Keywords: | neededdocs added; script execution load ajaxrewrite needsdocs removed |
|---|
The docs for this have been updated to reflect the changes mentioned.
Can you please provide us a test case reproducing the issue that you've encountered on jsFiddle?. Once this has been done we will be better able to assist in narrowing down the cause and solution to the problem. Thanks.