Skip to main content

Bug Tracker

Side navigation

#6558 closed bug (invalid)

Opened May 11, 2010 05:57PM UTC

Closed June 26, 2012 02:28AM UTC

appendTo allows script tags to leak into the DOM

Reported by: arn_o Owned by:
Priority: low Milestone: 1.next
Component: manipulation Version: 1.4.4
Keywords: append appendto head script Cc:
Blocked by: Blocking:
Description

In firefox 3.6.3 when I use

$('head').append('<script type="text/javascript" src="/src.js"></script>');

The script is loaded correctly but I can't retrieve this freshly added <script> tag in the list when I ask for it:

jsList = $("head > script[src][type='text/javascript']");

However I can retrieve it if I add it this way:

$('<script type="text/javascript" src="/src.js"></script>').appendTo('head');

or this way:

var e = document.createElement("script");

e.src = '/src.js';

e.type="text/javascript";

head.appendChild(e);

Shouldn't those three ways of adding a <script> tag to the <head> behave the same way ?

Attachments (0)
Change History (6)

Changed November 12, 2010 02:40AM UTC by snover comment:1

milestone: 1.4.3

Resetting milestone to future.

Changed November 21, 2010 04:55AM UTC by snover comment:2

milestone: → 1.4.5
priority: → low
status: newopen
summary: different behaviour between $('head').append('<script ...') and $('<script...').appendTo('head')appendTo allows script tags to leak into the DOM
version: 1.4.21.4.4

appendTo should not be appending the script tag.

Changed July 12, 2011 07:34PM UTC by john comment:3

#7626 is a duplicate of this ticket.

Changed July 12, 2011 07:35PM UTC by john comment:4

This has to do with how jQuery executes script tags - we remove script tags that we execute in order to not run them again, we need to the same here for the $("script").appendTo() case. Confirmed in triage.

Changed February 11, 2012 03:45PM UTC by gibson042 comment:5

I cannot reproduce this with 1.7.1 or jquery-git. Was it fixed somewhere along the line?

Changed June 26, 2012 02:28AM UTC by dmethvin comment:6

resolution: → invalid
status: openclosed

It may have been fixed but since there have been no recent reports/confirmations and there wasn't a test case I'll mark it invalid.