Don't try and evaluate a script body if the script is being loaded remotely #510

wants to merge 1 commit into


None yet
3 participants

fblee commented May 8, 2012

If a src attribute is specified in a script tag, the body of the tag should typically be blank, and should not be evaluated. Certain sites, such as LinkedIn's Javascript library, rely on this non-evaluating behavior of the browsers to configure their library on load.

My commit updates zepto so it behaves identically when adding a script tag to the HTML page as when doing it programmatically with zepto.


mislav commented May 8, 2012

I didn't know this! Can you point me to examples of usage of SCRIPT tag with src + body?

Your change seems good but we need tests, too. Can you add them?


fblee commented May 10, 2012

No problem! The LinkedIn Javascript API makes use of that technique (section 3):

Having experimented a bit more I suspect zepto needs to also take action when a src attribute is present in a script tag to ensure the code referenced code gets fetched and executed. I'll try to debug further and submit more tests/patches as appropriate.


romanrudenko commented May 26, 2012

More on script evaluation:

  • jQuery does synchronous AJAX fetches for scripts with src. That sounds like a sane enough approach, but adds an ajax depenency. Maybe make fetching conditional on availability of ajax module?
  • The current code does not seem to check what document the scripts are inserted into. If a parent page manipulates an iframe by injecting markup into it, we'd want code to execute in context of the iframe (or is all this too esoteric?)
  • I'd suggest checking if walking up parentNode chain actually gets us to a document. If not, we are adding scripts to a detached element, and it is too soon to run them.

@mislav mislav closed this in 9ca4cdb Sep 29, 2012

mislav added a commit that referenced this pull request Sep 29, 2012

lopper added a commit to buddydvd/zepto that referenced this pull request Apr 24, 2013

don't eval <script> content when "src" is present
A SCRIPT tag can have both a "src" attribute and script content. In
those cases, the remote script is downloaded and the content is ignored.
Zepto should do the same when manually eval'ing SCRIPTs.

Fixes #510

lopper added a commit to buddydvd/zepto that referenced this pull request Apr 24, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment