tags:

views:

55

answers:

4
+2  Q: 

How do I prevent javascript returned from an ajax request from executing when the response is inserted into the DOM?

So, I see so many people wondering how to execute JS code returned via ajax. I wish I had that problem. My JS executes, but I don't want it too!

Using jQuery 1.4.2, I'm making a GET request:

$.ajax({
  url:'/myurl/',
  type:'GET',
  success:function(response){
    $('body').html(response);
  }
});

The response looks something like:

<p>Some content</p> 
<script>alert("hi!");</script>

Whenever the success callback fires and the response is injected into the DOM, the alert code fires! I don't want that to happen. What can I do to prevent this?

A: 

If you can't modify the response, try to "replace" <script> tags:

"<script>alert('hi');</script>".replace(/<(\/?script)/gi, "&lt;$1");

This should escape the tags, making they appear as plain text instead of executing.

Related links

BrunoLM  2010-10-12 00:31:14
I'm trying to avoid a regex solution. I have no idea who will be creating the response content, and if it's something crazy, I'd like to make sure the solution is infallible. Thanks for the suggestion though!
Kappers  2010-10-12 00:37:30
@Kappers: That sounds complicated. I guess you would need some `xml parser`. I'm not sure if there is any in js. I guess you would need a second request to some service that remove potentially dangerous tags/attributes.
BrunoLM  2010-10-12 00:48:37
I was under the impression that jQuery did something to remove scripts from collections when you inserted via .html(); I found an article from 2009 about it, and a buddy of mine actually had a problem recently where he wasn't seeing scripts in his response. I briefly looked at jQuery source and couldn't find any evidence of the strippage though. Not sure what I'm going to do just yet :)
Kappers  2010-10-12 00:55:16
A: 

Depends. Do you need the JavaScript, or can you just get rid of it? If you don't need it at all, you could do something like

response = response.replace(/<script.*?<\/script>/gi, "");

However, if you need it, you're going to need to figure out how to kill just the function call(s) that you don't want. Using your example of an alert:

response = response.replace(/alert\(.*?\)/gi, "alert");

By getting rid of the trailing parens, and whatever they contain, you stop the function call from happening. Obviously, what you'll need in your regex will depend on the actual code that's causing the problem.

Sid_M  2010-10-12 00:43:09
Yeah, the javascript can't go away. Unfortunately, I have no way of knowing *exactly* what will be produced in the response. It could be anything. The requirements state that it *could* contain scripts and that the full response needs to be injected on the page - including any script tags. As I mentioned to @BrunoLM, I'm leery of using regex for this simply because I don't know what the output will be. :(
Kappers  2010-10-12 00:57:56
Without getting very complicated, I only see 3 options: (1) Don't mess with the JS, and make it clear that it's the responsibility of whoever introduces it on the server side; (2) Remove the JS completely as in my first regex; (3) Choose some very specific calls to kill, as in my second regex, and leave the rest alone. Anything else risks breaking something they want.
Sid_M  2010-10-12 01:15:03
A:  
 $('body').html(response.replace(/(<script)[^\>]*/g,'$1 src="emptyfile.js"'));

where emptyfile.js exists but has no content.

kennebec  2010-10-12 02:01:12
A: 

Hello there, did you try returning function() snippets like
<script>
function Hello(){
alert('Hello');
}
</script>
This way the your JS doesn't execute right away but can be called later when required. But, again it depends what you actually want to do.

Ajaxe  2010-10-20 13:44:41

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript