Fix mistake in JS response parser:

- Restore ability to accept ecmascript JS response should not modify DOM.
2017-04-13 16:58:36 +03:00 · 2017-04-13 16:58:36 +03:00 · db65f73f2e
parent faca40dfd4
commit db65f73f2e
2 changed files with 31 additions and 3 deletions
--- a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
+++ b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
@ -64,10 +64,10 @@ processResponse = (response, type) ->
  if typeof response is 'string' and typeof type is 'string'
    if type.match(/\bjson\b/)
      try response = JSON.parse(response)
-    else if type.match(/\bjavascript\b/)
+    else if type.match(/\b(?:java|ecma)script\b/)
      script = document.createElement('script')
-      script.innerHTML = response
-      document.body.appendChild(script)
+      script.text = response
+      document.head.appendChild(script).parentNode.removeChild(script)
    else if type.match(/\b(xml|html|svg)\b/)
      parser = new DOMParser()
      type = type.replace(/;.+/, '') # remove something like ';charset=utf-8'
--- a/actionview/test/ujs/public/test/call-remote.js
+++ b/actionview/test/ujs/public/test/call-remote.js
@ -100,6 +100,34 @@ asyncTest('JS code should be executed', 1, function() {
  submit()
 })

+asyncTest('ecmascript code should be executed', 1, function() {
+  buildForm({ method: 'post', 'data-type': 'script' })
+
+  $('form').append('<input type="text" name="content_type" value="application/ecmascript">')
+  $('form').append('<input type="text" name="content" value="ok(true, \'remote code should be run\')">')
+
+  submit()
+})
+
+asyncTest('execution of JS code does not modify current DOM', 1, function() {
+  var docLength, newDocLength
+  function getDocLength() {
+    return document.documentElement.outerHTML.length
+  }
+
+  buildForm({ method: 'post', 'data-type': 'script' })
+
+  $('form').append('<input type="text" name="content_type" value="text/javascript">')
+  $('form').append('<input type="text" name="content" value="\'remote code should be run\'">')
+
+  docLength = getDocLength()
+
+  submit(function() {
+    newDocLength = getDocLength()
+    ok(docLength === newDocLength, 'executed JS should not present in the document')
+  })
+})
+
 asyncTest('XML document should be parsed', 1, function() {
  buildForm({ method: 'post', 'data-type': 'html' })