Only process scripts if specifically allowed

parent 9654f68d
Pipeline #65027261 passed with stages
in 11 minutes
......@@ -22,9 +22,7 @@ export class RailsUJSController extends Controller {
error (e) {
const [data] = e.detail
let fragment = this._createFragment(data)
for (const script of fragment.querySelectorAll('script')) {
eval(script.innerHTML) // eslint-disable-line no-eval
}
this._processScripts(fragment.querySelectorAll('script'))
e.currentTarget.replaceWith(fragment)
}
......@@ -46,9 +44,7 @@ export class RailsUJSController extends Controller {
if (!data.body || !el.dataset.placement) return
const df = this._documentFragment(data)
for (const script of df.querySelectorAll('script')) {
eval(script.innerHTML) // eslint-disable-line no-eval
}
this._processScripts(df.querySelectorAll('script'))
this._handleContent(el, df, el.dataset.placement)
}
......@@ -58,7 +54,7 @@ export class RailsUJSController extends Controller {
* @private
* @param {DOMElement} el
* @param {DocumentFragment} fragment
* @param {String} placement
* @param {string} placement
*/
_handleContent (el, fragment, placement) {
switch (placement) {
......@@ -117,7 +113,7 @@ export class RailsUJSController extends Controller {
/**
* @private
* @param {*} data
* @param {(string|DocumentFragment)} data
* @returns DocumentFragment
*/
_documentFragment (data) {
......@@ -143,4 +139,14 @@ export class RailsUJSController extends Controller {
_target (el) {
return document.querySelector(el.dataset.responseTarget)
}
/**
* @private
* @param {NodeList} scripts
*/
_processScripts (scripts) {
if (!this.data.get('loadScripts')) return
for (const script of scripts) eval(script.innerHTML) // eslint-disable-line no-eval
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment