Skip to content
Permalink
Browse files

Manipulation: Only evaluate HTTP-successful script src

Fixes gh-4126
Closes gh-4243
  • Loading branch information...
gibson042 authored and mgol committed Dec 12, 2018
1 parent 4ffb1df commit c2026b117d1ca5b2e42a52c7e2a8ae8988cf0d4b
Showing with 24 additions and 2 deletions.
  1. +7 −2 src/manipulation/_evalUrl.js
  2. +17 −0 test/unit/manipulation.js
@@ -10,11 +10,16 @@ jQuery._evalUrl = function( url ) {

// Make this explicit, since user can override this through ajaxSetup (#11264)
type: "GET",
dataType: "script",
dataType: "text",
cache: true,
async: false,
global: false,
"throws": true
"throws": true,

// Only evaluate the response if it is successful (gh-4126)
success: function( text ) {
jQuery.globalEval( text );
}
} );
};

@@ -2818,3 +2818,20 @@ QUnit.test( "Insert script with data-URI (gh-1887)", 1, function( assert ) {
done();
}, 100 );
} );

QUnit.test( "Ignore content from unsuccessful responses (gh-4126)", 1, function( assert ) {
var globalEval = jQuery.globalEval;
jQuery.globalEval = function( code ) {
assert.ok( false, "no attempt to evaluate code from an unsuccessful response" );
};

try {
jQuery( "#qunit-fixture" ).append(
"<script src='" + url( "mock.php?action=error" ) + "'/>" );
assert.ok( true, "no error thrown from embedding script with unsuccessful-response src" );
} catch ( e ) {
throw e;
} finally {
jQuery.globalEval = globalEval;
}
} );

0 comments on commit c2026b1

Please sign in to comment.
You can’t perform that action at this time.