Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Defer scriptEval test until first use to prevent Content Security Pol…

…icy inline-script violations from occuring. Fixes #7371.
  • Loading branch information...
commit 220a0ce1628d376ec14394c9b0be3c10f92a4cdb 1 parent f01ef93
Brandon Sterne authored jeresig committed
Showing with 34 additions and 24 deletions.
  1. +1 −1  src/core.js
  2. +33 −23 src/support.js
View
2  src/core.js
@@ -583,7 +583,7 @@ jQuery.extend({
script.type = "text/javascript";
- if ( jQuery.support.scriptEval ) {
+ if ( jQuery.support.scriptEval() ) {
script.appendChild( document.createTextNode( data ) );
} else {
script.text = data;
View
56 src/support.js
@@ -4,10 +4,7 @@
jQuery.support = {};
- var root = document.documentElement,
- script = document.createElement("script"),
- div = document.createElement("div"),
- id = "script" + jQuery.now();
+ var div = document.createElement("div");
div.style.display = "none";
div.innerHTML = " <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";
@@ -64,7 +61,7 @@
deleteExpando: true,
optDisabled: false,
checkClone: false,
- scriptEval: false,
+ _scriptEval: null,
noCloneEvent: true,
boxModel: null,
inlineBlockNeedsLayout: false,
@@ -77,32 +74,45 @@
select.disabled = true;
jQuery.support.optDisabled = !opt.disabled;
- script.type = "text/javascript";
- try {
- script.appendChild( document.createTextNode( "window." + id + "=1;" ) );
- } catch(e) {}
-
- root.insertBefore( script, root.firstChild );
-
- // Make sure that the execution of code works by injecting a script
- // tag with appendChild/createTextNode
- // (IE doesn't support this, fails, and uses .text instead)
- if ( window[ id ] ) {
- jQuery.support.scriptEval = true;
- delete window[ id ];
- }
+ jQuery.support.scriptEval = function() {
+ if ( jQuery.support._scriptEval === null) {
+ var root = document.documentElement,
+ script = document.createElement("script"),
+ id = "script" + jQuery.now();
+
+ script.type = "text/javascript";
+ try {
+ script.appendChild( document.createTextNode( "window." + id + "=1;" ) );
+ } catch(e) {}
+
+ root.insertBefore( script, root.firstChild );
+
+ // Make sure that the execution of code works by injecting a script
+ // tag with appendChild/createTextNode
+ // (IE doesn't support this, fails, and uses .text instead)
+ if ( window[ id ] ) {
+ jQuery.support._scriptEval = true;
+ delete window[ id ];
+ } else {
+ jQuery.support._scriptEval = false;
+ }
+
+ root.removeChild( script );
+ // release memory in IE
+ root = script = id = null;
+ }
+ return jQuery.support._scriptEval;
+ };
// Test to see if it's possible to delete an expando from an element
// Fails in Internet Explorer
try {
- delete script.test;
+ delete div.test;
} catch(e) {
jQuery.support.deleteExpando = false;
}
- root.removeChild( script );
-
if ( div.attachEvent && div.fireEvent ) {
div.attachEvent("onclick", function click() {
// Cloning a node shouldn't copy over any
@@ -191,6 +201,6 @@
jQuery.support.changeBubbles = eventSupported("change");
// release memory in IE
- root = script = div = all = a = null;
+ div = all = a = null;
})();
})( jQuery );
Please sign in to comment.
Something went wrong with that request. Please try again.