From 220a0ce1628d376ec14394c9b0be3c10f92a4cdb Mon Sep 17 00:00:00 2001 From: Brandon Sterne Date: Mon, 17 Jan 2011 16:31:12 -0500 Subject: [PATCH] Defer scriptEval test until first use to prevent Content Security Policy inline-script violations from occuring. Fixes #7371. --- src/core.js | 2 +- src/support.js | 52 ++++++++++++++++++++++++++++++-------------------- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/src/core.js b/src/core.js index fbf64910..4311e310 100644 --- a/src/core.js +++ b/src/core.js @@ -583,7 +583,7 @@ jQuery.extend({ script.type = "text/javascript"; - if ( jQuery.support.scriptEval ) { + if ( jQuery.support.scriptEval() ) { script.appendChild( document.createTextNode( data ) ); } else { script.text = data; diff --git a/src/support.js b/src/support.js index e4c3ea91..f502811a 100644 --- a/src/support.js +++ b/src/support.js @@ -4,10 +4,7 @@ jQuery.support = {}; - var root = document.documentElement, - script = document.createElement("script"), - div = document.createElement("div"), - id = "script" + jQuery.now(); + var div = document.createElement("div"); div.style.display = "none"; div.innerHTML = "
a"; @@ -64,7 +61,7 @@ deleteExpando: true, optDisabled: false, checkClone: false, - scriptEval: false, + _scriptEval: null, noCloneEvent: true, boxModel: null, inlineBlockNeedsLayout: false, @@ -77,32 +74,45 @@ select.disabled = true; jQuery.support.optDisabled = !opt.disabled; - script.type = "text/javascript"; - try { - script.appendChild( document.createTextNode( "window." + id + "=1;" ) ); - } catch(e) {} + jQuery.support.scriptEval = function() { + if ( jQuery.support._scriptEval === null) { + var root = document.documentElement, + script = document.createElement("script"), + id = "script" + jQuery.now(); - root.insertBefore( script, root.firstChild ); + script.type = "text/javascript"; + try { + script.appendChild( document.createTextNode( "window." + id + "=1;" ) ); + } catch(e) {} - // Make sure that the execution of code works by injecting a script - // tag with appendChild/createTextNode - // (IE doesn't support this, fails, and uses .text instead) - if ( window[ id ] ) { - jQuery.support.scriptEval = true; - delete window[ id ]; - } + root.insertBefore( script, root.firstChild ); + + // Make sure that the execution of code works by injecting a script + // tag with appendChild/createTextNode + // (IE doesn't support this, fails, and uses .text instead) + if ( window[ id ] ) { + jQuery.support._scriptEval = true; + delete window[ id ]; + } else { + jQuery.support._scriptEval = false; + } + + root.removeChild( script ); + // release memory in IE + root = script = id = null; + } + return jQuery.support._scriptEval; + }; // Test to see if it's possible to delete an expando from an element // Fails in Internet Explorer try { - delete script.test; + delete div.test; } catch(e) { jQuery.support.deleteExpando = false; } - root.removeChild( script ); - if ( div.attachEvent && div.fireEvent ) { div.attachEvent("onclick", function click() { // Cloning a node shouldn't copy over any @@ -191,6 +201,6 @@ jQuery.support.changeBubbles = eventSupported("change"); // release memory in IE - root = script = div = all = a = null; + div = all = a = null; })(); })( jQuery );