On Tue, 29 Dec 2009 22:52:45 +0100, Tobias Hoffmann <smilingt...@googlemail.com> wrote: [...] > And with html and script blocks we already have the 'eval'-behavior (which > I > did not think of in my original post). [...]
But not until the moment the developer chooses to place it into the DOM (when using $.ajax()). Granted, that's the whole point of retrieving the html but the execution does occur at a different point than would the json (httpData). Just throwin' this in here for completeness. > > My intent was not to say "We need to change that", but to point to this > issue and ask "Have you thought about that?" If we come to the conclusion > that this won't happen / make things worse (i.e. apart from what the > developer already has to take care of wrt. ajax requests) for real-world > applications, and maybe add a note to the documentation: "Always specify a > dataType for unknown/untrusted content, because of possible script > execution > [even for html!]" -- that's fine with me, too. > > Tobias > > -- > > You received this message because you are subscribed to the Google Groups > "jQuery Development" group. > To post to this group, send email to jquery-...@googlegroups.com. > To unsubscribe from this group, send email to > jquery-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/jquery-dev?hl=en. -- You received this message because you are subscribed to the Google Groups "jQuery Development" group. To post to this group, send email to jquery-...@googlegroups.com. To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.
