开发者

How does jQuery getScript method ensure secure execution of dynamically loaded JavaScript?

开发者 https://www.devze.com 2023-03-10 16:29 出处:网络
I want to dynamically load JS file using AJAX and execute it. I am referring this page which says, \"At this time,the preferred way of injecting JS code seems to be to use AJAX to load the JS source,

I want to dynamically load JS file using AJAX and execute it. I am referring this page which says, "At this time,the preferred way of injecting JS code seems to be to use AJAX to load the JS source, then eval() the code."

But I am worried of using eval to execute the script. Just to see how jQuery implements this I checked its source and found this:

getScript: function( url, callback ) {
    return jQuery.get( url, undefined, callback, "script" );
}

Then I searched for jQuery get method. But there are several get methods defined. I am new to OOP in JS and don't understand where to l开发者_如何学运维ook for the correct get method.

I want to know how it executes the script - whether it uses eval or not and if yes, how is it secure.

Can someone guide me how I can look for the correct get method.


There is nothing to ensure "security" (that actually can't be done).
It is on you to just load trusted scripts.

After some delegating, jQuery will call a method called "globalEval" which either runs .execScript() (IE) or a standard window.eval() on the transfered script files. Either way, the script which gets executed has access to anything.

0

精彩评论

暂无评论...
验证码 换一张
取 消