Bug Tracker

Opened 9 years ago

Closed 9 years ago

#7168 closed bug (wontfix)

globalEval assumes JavaScript is being evaluated

Reported by: ScottyH Owned by: ScottyH
Priority: undecided Milestone: 1.4.3
Component: unfiled Version: 1.4.2
Keywords: Cc:
Blocked by: Blocking:

Description

globalEval assumes that the data argument contains JavaScript. In some (obscure) cases, globalEval may be called when attempting to evaluate a VBScript node through a dom manipulation call (e.g. append()).

I'm not even sure it's worth the added file size to do this check and change the script node's type, but it seems worth mentioning.

Change History (5)

comment:1 Changed 9 years ago by snover

Owner: set to ScottyH
Status: newpending

Are you sure? Every place I see in jQuery that calls globalEval does so only if the script type contains the word “javascript”. Please provide a test case.

comment:2 Changed 9 years ago by ScottyH

Status: pendingnew

comment:2 Changed 9 years ago by ScottyH

The problem is on line 4493 of 1.4.2. Specifically this expression, in the if condition:

!ret[i].type

The VBScript node could decide not to use the type attribute, and instead use language="VBScript".

(Trying to figure out how to attach an example)

comment:3 Changed 9 years ago by ScottyH

<html>
	<head>
		<title></title>
	</head>
	<body>
		<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js"></script>
		<script type="text/javascript">		
			var vbdetect = '<scr' + 'ipt language="VBScript">\n';
			vbdetect += "on error resume next\n";
			vbdetect += 'If Not(IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5"))) Then\n';
			vbdetect += "Else\n";
			vbdetect += "hasFlash = true\n";
			vbdetect += "End If\n";
			vbdetect += '</scr' + 'ipt>\n';
	
			$("head").append(vbdetect);
		</script>
	</body>
</html>
Last edited 9 years ago by ScottyH (previous) (diff)

comment:4 Changed 9 years ago by dmethvin

Resolution: wontfix
Status: newclosed

Since VBScript is only supported by IE, there wouldn't be much benefit to supporting it through jQuery where we're struggling mightily to make things work across browsers. For a situation like this you can rewrite the snippet in Javascript or forego jQuery and evaluate the code with an IE-specific function.

Note: See TracTickets for help on using tickets.