From 025da4dd343e6734f3d3c1b4785b1548498115d8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= Date: Tue, 26 Jan 2021 15:58:29 +0100 Subject: [PATCH] Ajax: Don't auto-execute scripts unless dataType provided PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588 --- src/ajax/script.js | 13 ++------- test/unit/ajax.js | 71 +++++++++++++++------------------------------- 2 files changed, 25 insertions(+), 59 deletions(-) diff --git a/src/ajax/script.js b/src/ajax/script.js index 203ea08e0..fee8a66e0 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -19,22 +19,13 @@ function canUseScriptTag( s ) { ( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 ); } -// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) -jQuery.ajaxPrefilter( function( s ) { - if ( s.crossDomain ) { - s.contents.script = false; - } -} ); - -// Install script dataType +// Install script dataType. Don't specify `content.script` so that an explicit +// `dataType: "script"` is required (see gh-2432, gh-4822) jQuery.ajaxSetup( { accepts: { script: "text/javascript, application/javascript, " + "application/ecmascript, application/x-ecmascript" }, - contents: { - script: /\b(?:java|ecma)script\b/ - }, converters: { "text script": function( text ) { jQuery.globalEval( text ); diff --git a/test/unit/ajax.js b/test/unit/ajax.js index 271496ce1..4ab17e8eb 100644 --- a/test/unit/ajax.js +++ b/test/unit/ajax.js @@ -71,13 +71,20 @@ QUnit.module( "ajax", { }; } ); - ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, + ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5, function( assert ) { return { create: function( options ) { - options.crossDomain = true; + var xhr; + options.method = "POST"; options.dataType = "script"; - return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options ); + options.scriptAttrs = { id: "jquery-ajax-test", async: "async" }; + xhr = jQuery.ajax( url( "mock.php?action=script" ), options ); + assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" ); + return xhr; + }, + beforeSend: function( _jqXhr, settings ) { + assert.strictEqual( settings.type, "GET", "Type changed to GET" ); }, success: function() { assert.ok( true, "success" ); @@ -89,20 +96,13 @@ QUnit.module( "ajax", { } ); - ajaxTest( "jQuery.ajax() - custom attributes for script tag", 5, + ajaxTest( "jQuery.ajax() - execute JS when dataType option is provided", 3, function( assert ) { return { create: function( options ) { - var xhr; - options.method = "POST"; + options.crossDomain = true; options.dataType = "script"; - options.scriptAttrs = { id: "jquery-ajax-test", async: "async" }; - xhr = jQuery.ajax( url( "mock.php?action=script" ), options ); - assert.equal( jQuery( "#jquery-ajax-test" ).attr( "async" ), "async", "attr value" ); - return xhr; - }, - beforeSend: function( _jqXhr, settings ) { - assert.strictEqual( settings.type, "GET", "Type changed to GET" ); + return jQuery.ajax( url( "mock.php?action=script&header=ecma" ), options ); }, success: function() { assert.ok( true, "success" ); @@ -114,22 +114,16 @@ QUnit.module( "ajax", { } ); - ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) { - return { - create: function( options ) { - options.crossDomain = true; - return jQuery.ajax( url( "mock.php?action=script&header" ), options ); - }, - success: function() { - assert.ok( true, "success" ); - }, - fail: function() { - assert.ok( false, "fail" ); - }, - complete: function() { - assert.ok( true, "complete" ); - } - }; + jQuery.each( [ " - Same Domain", " - Cross Domain" ], function( crossDomain, label ) { + ajaxTest( "jQuery.ajax() - do not execute JS (gh-2432, gh-4822) " + label, 1, function( assert ) { + return { + url: url( "mock.php?action=script&header" ), + crossDomain: crossDomain, + success: function() { + assert.ok( true, "success" ); + } + }; + } ); } ); ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) { @@ -1439,25 +1433,6 @@ QUnit.module( "ajax", { }; } ); - ajaxTest( "jQuery.ajax() - script by content-type", 2, function() { - return [ - { - url: baseURL + "mock.php?action=script", - data: { - "header": "script" - }, - success: true - }, - { - url: baseURL + "mock.php?action=script", - data: { - "header": "ecma" - }, - success: true - } - ]; - } ); - ajaxTest( "jQuery.ajax() - JSON by content-type", 5, function( assert ) { return { url: baseURL + "mock.php?action=json", -- 2.39.5