Don't inject application/json as javascript

[tchiotludo]

We can have script tag with json data

<script id="data" type="application/json">{org: 10, items:["one","two"]}</script>

These tag is not evaluated by browers as javascript if type="application/json" is present.
This PR prevent spf to inject these tags as javascript

[DavidCPhillips]

I think this is important, but I have a couple of issues.

1. As is, this'll drop the script entirely. It's probably a fine first step, as it's pretty close to the current behavior, but we probably need to allow these to be available in some capacity, either in the DOM or in some other structure. Since you presumably have a use case, thoughts?
2. This is probably better off as a Whitelist of valid types instead of a blacklist. How about only allowing scripts with empty types or type='text/javascript'?
3. Please add tests.

[tchiotludo]

1. the script is not drop, it was inject in the dom as is without any modification but not send to javascript engine, In my case, I use this kind of script <script type="application/json"> to inject configuration for web component & locale available only on the server side, I can get the dom element and parse it with a simple JSON.parse(document.getElementById("main"))
2. good idea, done
3. also done

[tchiotludo]

I understand the point 1) now.
I didn't see the frag.replace function that drop the script ...
It's fixed now.

[nicksay]

Please use the spf.string.contains function so the compiler can re-use the function call:

var inject = !type || spf.string.contains(type[1], '/javascript') ||
    spf.string.contains(type[1], '/x-javascript') ||
    spf.string.contains(type[1], '/ecmascript');

[nicksay]

Thanks for the PR! This is looking good; I've just added a couple minor comments, but after those are fixed, I'll merge this in.

[tchiotludo]

I've just made last cleanup & squash commits

[nicksay]

Hi there! Unfortunately it looks the constant definition was lost in the last update:

src/client/nav/response.js:585: ERROR - element TYPE does not exist on this enum
          var type = spf.nav.response.AttributeRegEx.TYPE.exec(attr);

https://travis-ci.org/youtube/spfjs/builds/131329855

[tchiotludo]

oups, sorry. It's ok now.
I've added text/css for style tag that is also concern

[nicksay]

Great, the last thing I'll need is for you to update onto the latest changes from master so I can merge this!

[tchiotludo]

Great news, it's merged

[nicksay]

Would you mind squashing your commits?

[tchiotludo]

I think it's done, I'm not confortable with git rebase ...

[nicksay]

Looks perfect, thanks!