i have an "ajax engine" based on jQuery. And after receiving the response i must manipulate the response before inserting in page. But I need the response as an jQuery object. I do this with:

tmpActualResult = $( '<span/>' ).html( actualResult );

But at this time jQuery (or browser itself?) execute the scripts which are included in response - and exactly this shouldn't occur. I will execute the scripts manual later.

in particular I will:

1. parse response (get access to the tags/elements which are included)
2. insert the elements into page (DOM manipulating)
3. execute possible scripts (which are received)

in thanks

Edit: If someone is interested too, i've created a more general solution by extending the jQuery.domManip function, as suggested in first answer.

(function($, oldDomManip) {
// Override the core domManip function
$.fn.domManip = function() {

    function evalScript(i, elem) {
        jQuery.globalEval(elem.text || elem.textContent || elem.innerHTML || "");
    }

    var scripts = [];
    // let jQuery build the fragments
    var results = jQuery.buildFragment(arguments[0], this, scripts);
    // change parameter to created fragments
    arguments[0] = results.fragment.childNodes;
    // do what jQuery will do - without scripts
    oldDomManip.apply(this, arguments);
    if (scripts.length) {
        // if connection is active
        if (jQuery.active != 0) {
            $(this).bind("ajaxStop.scriptCache", function() {
                $.each(scripts, evalScript);
                $(this).unbind("ajaxStop.scriptCache");
            });
        } else
            $.each(scripts, evalScript);
    }
    return this;
};
})(jQuery, jQuery.fn.domManip);

it will not execute scripts before ajax request is pleted. worked for me.

i have an "ajax engine" based on jQuery. And after receiving the response i must manipulate the response before inserting in page. But I need the response as an jQuery object. I do this with:

tmpActualResult = $( '<span/>' ).html( actualResult );

But at this time jQuery (or browser itself?) execute the scripts which are included in response - and exactly this shouldn't occur. I will execute the scripts manual later.

in particular I will:

1. parse response (get access to the tags/elements which are included)
2. insert the elements into page (DOM manipulating)
3. execute possible scripts (which are received)

in thanks

Edit: If someone is interested too, i've created a more general solution by extending the jQuery.domManip function, as suggested in first answer.

(function($, oldDomManip) {
// Override the core domManip function
$.fn.domManip = function() {

    function evalScript(i, elem) {
        jQuery.globalEval(elem.text || elem.textContent || elem.innerHTML || "");
    }

    var scripts = [];
    // let jQuery build the fragments
    var results = jQuery.buildFragment(arguments[0], this, scripts);
    // change parameter to created fragments
    arguments[0] = results.fragment.childNodes;
    // do what jQuery will do - without scripts
    oldDomManip.apply(this, arguments);
    if (scripts.length) {
        // if connection is active
        if (jQuery.active != 0) {
            $(this).bind("ajaxStop.scriptCache", function() {
                $.each(scripts, evalScript);
                $(this).unbind("ajaxStop.scriptCache");
            });
        } else
            $.each(scripts, evalScript);
    }
    return this;
};
})(jQuery, jQuery.fn.domManip);

it will not execute scripts before ajax request is pleted. worked for me.

• javascript
• jquery

Share Improve this question Follow edited Aug 31, 2011 at 12:55 chuem asked Aug 30, 2011 at 14:00 chuemchuem 11111 silver badge99 bronze badges 2

• What is exactly the response? – Py. Commented Aug 30, 2011 at 14:07
• At this time a simple HTML String. (with possible script tags) – chuem Commented Aug 30, 2011 at 14:10

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 4

You can't prevent script execution of scripts that are part of a string of markup you're trying to add using .html() or .append(). At least not without extending the domManip function of jQuery. It extracts all scripts in html markup that you're trying to add using .html() or .append() and evals it.

You could, however, extract the script tags with their inner text (js) from the string yourself, add only the markup via .html() or .append() and then eval the scripts yourself when you need to.

Try this:

var container = document.createElement('div');
container.innerHTML = "<div> i am html with script tag <script type="text/javascript">alert('Script executed');</script>end</div>"
$(container).doSomething()