mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588
This commit is contained in:
parent
a32cf6324f
commit
025da4dd34
@ -19,22 +19,13 @@ function canUseScriptTag( s ) {
|
|||||||
( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
|
( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
|
// Install script dataType. Don't specify `content.script` so that an explicit
|
||||||
jQuery.ajaxPrefilter( function( s ) {
|
// `dataType: "script"` is required (see gh-2432, gh-4822)
|
||||||
if ( s.crossDomain ) {
|
|
||||||
s.contents.script = false;
|
|
||||||
}
|
|
||||||
} );
|
|
||||||
|
|
||||||
// Install script dataType
|
|
||||||
jQuery.ajaxSetup( {
|
jQuery.ajaxSetup( {
|
||||||
accepts: {
|
accepts: {
|
||||||
script: "text/javascript, application/javascript, " +
|
script: "text/javascript, application/javascript, " +
|
||||||
"application/ecmascript, application/x-ecmascript"
|
"application/ecmascript, application/x-ecmascript"
|
||||||
},
|
},
|
||||||
contents: {
|
|
||||||
script: /\b(?:java|ecma)script\b/
|
|
||||||
},
|
|
||||||
converters: {
|
converters: {
|
||||||
"text script": function( text ) {
|
"text script": function( text ) {
|
||||||
jQuery.globalEval( text );
|
jQuery.globalEval( text );
|
||||||
|
@ -71,24 +71,6 @@ QUnit.module( "ajax", {
|
|||||||
};
|
};
|
||||||
} );
|
} );
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
|
|
||||||
function( assert ) {
|
|
||||||
return {
|
|
||||||
create: function( options ) {
|
|
||||||
options.crossDomain = true;
|
|
||||||
options.dataType = "script";
|
|
||||||
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
|
|
||||||
},
|
|
||||||
success: function() {
|
|
||||||
assert.ok( true, "success" );
|
|
||||||
},
|
|
||||||
complete: function() {
|
|
||||||
assert.ok( true, "complete" );
|
|
||||||
}
|
|
||||||
};
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
|
ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
|
||||||
function( assert ) {
|
function( assert ) {
|
||||||
return {
|
return {
|
||||||
@ -114,22 +96,34 @@ QUnit.module( "ajax", {
|
|||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
|
ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3,
|
||||||
|
function( assert ) {
|
||||||
return {
|
return {
|
||||||
create: function( options ) {
|
create: function( options ) {
|
||||||
options.crossDomain = true;
|
options.crossDomain = true;
|
||||||
return jQuery.ajax( url( "mock.php?action=script&header" ), options );
|
options.dataType = "script";
|
||||||
|
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
|
||||||
},
|
},
|
||||||
success: function() {
|
success: function() {
|
||||||
assert.ok( true, "success" );
|
assert.ok( true, "success" );
|
||||||
},
|
},
|
||||||
fail: function() {
|
|
||||||
assert.ok( false, "fail" );
|
|
||||||
},
|
|
||||||
complete: function() {
|
complete: function() {
|
||||||
assert.ok( true, "complete" );
|
assert.ok( true, "complete" );
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) {
|
||||||
|
ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) {
|
||||||
|
return {
|
||||||
|
url: url( "mock.php?action=script&header" ),
|
||||||
|
crossDomain: crossDomain,
|
||||||
|
success: function() {
|
||||||
|
assert.ok( true, "success" );
|
||||||
|
}
|
||||||
|
};
|
||||||
|
} );
|
||||||
} );
|
} );
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
|
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
|
||||||
@ -1439,25 +1433,6 @@ QUnit.module( "ajax", {
|
|||||||
};
|
};
|
||||||
} );
|
} );
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - script by content-type", 2, function() {
|
|
||||||
return [
|
|
||||||
{
|
|
||||||
url: baseURL + "mock.php?action=script",
|
|
||||||
data: {
|
|
||||||
"header": "script"
|
|
||||||
},
|
|
||||||
success: true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
url: baseURL + "mock.php?action=script",
|
|
||||||
data: {
|
|
||||||
"header": "ecma"
|
|
||||||
},
|
|
||||||
success: true
|
|
||||||
}
|
|
||||||
];
|
|
||||||
} );
|
|
||||||
|
|
||||||
ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) {
|
ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) {
|
||||||
return {
|
return {
|
||||||
url: baseURL + "mock.php?action=json",
|
url: baseURL + "mock.php?action=json",
|
||||||
|
Loading…
Reference in New Issue
Block a user