Skip to content

Commit 025da4d

Browse files
mgolmgol
authored
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588
1 parent a32cf63 commit 025da4d

File tree

2 files changed

+25
-59
lines changed

2 files changed

+25
-59
lines changed

src/ajax/script.js

+2-11
Original file line numberDiff line numberDiff line change
@@ -19,22 +19,13 @@ function canUseScriptTag( s ) {
1919
( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 );
2020
}
2121

22-
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
23-
jQuery.ajaxPrefilter( function( s ) {
24-
if ( s.crossDomain ) {
25-
s.contents.script = false;
26-
}
27-
} );
28-
29-
// Install script dataType
22+
// Install script dataType. Don't specify `content.script` so that an explicit
23+
// `dataType: "script"` is required (see gh-2432, gh-4822)
3024
jQuery.ajaxSetup( {
3125
accepts: {
3226
script: "text/javascript, application/javascript, " +
3327
"application/ecmascript, application/x-ecmascript"
3428
},
35-
contents: {
36-
script: /\b(?:java|ecma)script\b/
37-
},
3829
converters: {
3930
"text script": function( text ) {
4031
jQuery.globalEval( text );

test/unit/ajax.js

+23-48
Original file line numberDiff line numberDiff line change
@@ -71,13 +71,20 @@ QUnit.module( "ajax", {
7171
};
7272
} );
7373

74-
ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
74+
ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
7575
function( assert ) {
7676
return {
7777
create: function( options ) {
78-
options.crossDomain = true;
78+
var xhr;
79+
options.method = "POST";
7980
options.dataType = "script";
80-
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
81+
options.scriptAttrs = { id: "jquery-ajax-test", async: "async" };
82+
xhr = jQuery.ajax( url( "mock.php?action=script" ), options );
83+
assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" );
84+
return xhr;
85+
},
86+
beforeSend: function( _jqXhr, settings ) {
87+
assert.strictEqual( settings.type, "GET", "Type changed to GET" );
8188
},
8289
success: function() {
8390
assert.ok( true, "success" );
@@ -89,20 +96,13 @@ QUnit.module( "ajax", {
8996
}
9097
);
9198

92-
ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5,
99+
ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3,
93100
function( assert ) {
94101
return {
95102
create: function( options ) {
96-
var xhr;
97-
options.method = "POST";
103+
options.crossDomain = true;
98104
options.dataType = "script";
99-
options.scriptAttrs = { id: "jquery-ajax-test", async: "async" };
100-
xhr = jQuery.ajax( url( "mock.php?action=script" ), options );
101-
assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" );
102-
return xhr;
103-
},
104-
beforeSend: function( _jqXhr, settings ) {
105-
assert.strictEqual( settings.type, "GET", "Type changed to GET" );
105+
return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options );
106106
},
107107
success: function() {
108108
assert.ok( true, "success" );
@@ -114,22 +114,16 @@ QUnit.module( "ajax", {
114114
}
115115
);
116116

117-
ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
118-
return {
119-
create: function( options ) {
120-
options.crossDomain = true;
121-
return jQuery.ajax( url( "mock.php?action=script&header" ), options );
122-
},
123-
success: function() {
124-
assert.ok( true, "success" );
125-
},
126-
fail: function() {
127-
assert.ok( false, "fail" );
128-
},
129-
complete: function() {
130-
assert.ok( true, "complete" );
131-
}
132-
};
117+
jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) {
118+
ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) {
119+
return {
120+
url: url( "mock.php?action=script&header" ),
121+
crossDomain: crossDomain,
122+
success: function() {
123+
assert.ok( true, "success" );
124+
}
125+
};
126+
} );
133127
} );
134128

135129
ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
@@ -1439,25 +1433,6 @@ QUnit.module( "ajax", {
14391433
};
14401434
} );
14411435

1442-
ajaxTest( "jQuery.ajax() - script by content-type", 2, function() {
1443-
return [
1444-
{
1445-
url: baseURL + "mock.php?action=script",
1446-
data: {
1447-
"header": "script"
1448-
},
1449-
success: true
1450-
},
1451-
{
1452-
url: baseURL + "mock.php?action=script",
1453-
data: {
1454-
"header": "ecma"
1455-
},
1456-
success: true
1457-
}
1458-
];
1459-
} );
1460-
14611436
ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) {
14621437
return {
14631438
url: baseURL + "mock.php?action=json",

0 commit comments

Comments
 (0)