diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2021-01-26 15:58:29 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-26 15:58:29 +0100 |
| commit | 025da4dd343e6734f3d3c1b4785b1548498115d8 (patch) | |
| tree | 6c5d93a976296645953818d7a922a5531827be12 /src/ajax | |
| parent | a32cf6324f8f2190e66a687e94be9687ebf840b7 (diff) | |
| download | jquery-025da4dd343e6734f3d3c1b4785b1548498115d8.tar.gz jquery-025da4dd343e6734f3d3c1b4785b1548498115d8.zip | |
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.
After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.
Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
Diffstat (limited to 'src/ajax')
| -rw-r--r-- | src/ajax/script.js | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/src/ajax/script.js b/src/ajax/script.js index 203ea08e0..fee8a66e0 100644 --- a/src/ajax/script.js +++ b/src/ajax/script.js @@ -19,22 +19,13 @@ function canUseScriptTag( s ) { ( s.async && jQuery.inArray( "json", s.dataTypes ) < 0 ); } -// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) -jQuery.ajaxPrefilter( function( s ) { - if ( s.crossDomain ) { - s.contents.script = false; - } -} ); - -// Install script dataType +// Install script dataType. Don't specify `content.script` so that an explicit +// `dataType: "script"` is required (see gh-2432, gh-4822) jQuery.ajaxSetup( { accepts: { script: "text/javascript, application/javascript, " + "application/ecmascript, application/x-ecmascript" }, - contents: { - script: /\b(?:java|ecma)script\b/ - }, converters: { "text script": function( text ) { jQuery.globalEval( text ); |