From c2026b117d1ca5b2e42a52c7e2a8ae8988cf0d4b Mon Sep 17 00:00:00 2001
From: Richard Gibson <richard.gibson@gmail.com>
Date: Wed, 12 Dec 2018 11:21:24 -0500
Subject: [PATCH] Manipulation: Only evaluate HTTP-successful script src

Fixes gh-4126
Closes gh-4243
---
 src/manipulation/_evalUrl.js |  9 +++++++--
 test/unit/manipulation.js    | 17 +++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/manipulation/_evalUrl.js b/src/manipulation/_evalUrl.js
index f9ec7027c..1ed033673 100644
--- a/src/manipulation/_evalUrl.js
+++ b/src/manipulation/_evalUrl.js
@@ -10,11 +10,16 @@ jQuery._evalUrl = function( url ) {
 
 		// Make this explicit, since user can override this through ajaxSetup (#11264)
 		type: "GET",
-		dataType: "script",
+		dataType: "text",
 		cache: true,
 		async: false,
 		global: false,
-		"throws": true
+		"throws": true,
+
+		// Only evaluate the response if it is successful (gh-4126)
+		success: function( text ) {
+			jQuery.globalEval( text );
+		}
 	} );
 };
 
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index ddb04c7d6..300add5ec 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2818,3 +2818,20 @@ QUnit.test( "Insert script with data-URI (gh-1887)", 1, function( assert ) {
 		done();
 	}, 100 );
 } );
+
+QUnit.test( "Ignore content from unsuccessful responses (gh-4126)", 1, function( assert ) {
+	var globalEval = jQuery.globalEval;
+	jQuery.globalEval = function( code ) {
+		assert.ok( false, "no attempt to evaluate code from an unsuccessful response" );
+	};
+
+	try {
+		jQuery( "#qunit-fixture" ).append(
+			"<script src='" + url( "mock.php?action=error" ) + "'/>" );
+		assert.ok( true, "no error thrown from embedding script with unsuccessful-response src" );
+	} catch ( e ) {
+		throw e;
+	} finally {
+		jQuery.globalEval = globalEval;
+	}
+} );
-- 
2.39.5