What I'm worried about is attacks on existing pages. So far, in jQuery, executing javascript was borded to conscious actions by devs: - inserting HTML in the document (ajax doesn't execute embedded script automagically), - jsonp, - specific ajax wrappers (getScript, load) or cross-domain access to scripts (what getScript hides).
(I may forget some) With the change you landed, any cross-domain ajax request through xhr that doesn't specify the dataType (expecting text or xml as of 1.3) can be tricked by a third party into executing code (since, as of 1.4 latest, all the server has to do is to specify an application/javascript content-type). I'm not against it per se, you know I'm a big fan of jsonp and cross-domain madness, but this particular situation seems a bit dangerous to me. 2010/1/7 John Resig <jere...@gmail.com> > > btw, I also saw you landed an auto-fetching for script (FYI, I > > "synchronized" the rewrite with latest changes, including javascript > > auto-execution) but I believe it is just plain wrong to let the server > > decide of what should be executed client-side (especially with > cross-domain > > xhr getting more widespread). Protected JSON decoding is fine by me but > > javascript silently getting executed seems like a hell of a hole. > > If you're worried about JavaScript coming to the client and executing > there's little that jQuery can do to try and stop it - especially > since script tags could be injected into raw HTML and get inserted > into a site. If you're worried about auto-executing script then you > should also be worried about getScript and .load(). > > --John > > -- > You received this message because you are subscribed to the Google Groups > "jQuery Development" group. > To post to this group, send email to jquery-...@googlegroups.com. > To unsubscribe from this group, send email to > jquery-dev+unsubscr...@googlegroups.com<jquery-dev%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/jquery-dev?hl=en. > > > >--
You received this message because you are subscribed to the Google Groups "jQuery Development" group.
To post to this group, send email to jquery-...@googlegroups.com.
To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.