Manipulation: Only evaluate HTTP-successful script src

Fixes gh-4126
Closes gh-4243

diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js
index f9ec7027c22bb8e996130d5c0fda34dfd8d15d4c..1ed033673c7d02c57ee5601383e76c536d833d1a 100644 (file)
--- a/src/manipulation/_evalUrl.js
+++ b/src/manipulation/_evalUrl.js
@@ -10,11 +10,16 @@ jQuery._evalUrl = function( url ) {
 
                // Make this explicit, since user can override this through ajaxSetup (#11264)
                type: "GET",
-               dataType: "script",
+               dataType: "text",
                cache: true,
                async: false,
                global: false,
-               "throws": true
+               "throws": true,
+
+               // Only evaluate the response if it is successful (gh-4126)
+               success: function( text ) {
+                       jQuery.globalEval( text );
+               }
        } );
 };
 

diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index ddb04c7d62249de2fb6d825ed3ba9a21b5b0ae93..300add5ec7c6946e70db6b7f78f6550c212a8c26 100644 (file)
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2818,3 +2818,20 @@ QUnit.test( "Insert script with data-URI (gh-1887)", 1, function( assert ) {
                done();
        }, 100 );
 } );
+
+QUnit.test( "Ignore content from unsuccessful responses (gh-4126)", 1, function( assert ) {
+       var globalEval = jQuery.globalEval;
+       jQuery.globalEval = function( code ) {
+               assert.ok( false, "no attempt to evaluate code from an unsuccessful response" );
+       };
+
+       try {
+               jQuery( "#qunit-fixture" ).append(
+                       "<script src='" + url( "mock.php?action=error" ) + "'/>" );
+               assert.ok( true, "no error thrown from embedding script with unsuccessful-response src" );
+       } catch ( e ) {
+               throw e;
+       } finally {
+               jQuery.globalEval = globalEval;
+       }
+} );