Investigate why regular scripts are not loading when inside ajax HTML

[bob2517]

Per title. Investigate and find a solution. May need an "allow-scripts" security restriction on the ajax command to get this to work keeping security considerations in mind.

[bob2517]

May have a quick solution for this. It's not so much to do with the loading of the ajax, and more to do with the rendering method. From looking at the code with no testing at all, it looks like render-after-end, and its related functions, would work. I'm running a test now with an amended render command.

[bob2517]

My test didn't work - it looks like browsers (or at least Firefox) do not allow insertAdjacentHTML to add script tags to the page, despite it being allowed in the spec, so the spec is a bit out of date it seems or whatever is going on. There is an open issue written in November suggesting adding an option to insertAdjacentHTML to allow it but it hasn't been replied to yet: https://github.com/w3c/DOM-Parsing/issues/76

I'm seeing if there is any other solution that is sensible.

[bob2517]

I've got a potential solution regarding running the script tags after the whole html string has been rendered. So it's not the same as rendering nodes in sequence as you would if you were loading the page, but it will handle the script tag being in the right place in the DOM and the freshly inserted script tags will run after everything has rendered. With that caveat I'm going to add it into the core. I'll see if there is anything security-wise that can be done, like adding an "allow-scripts" option to the render command itself. It's not necessarily a simple solution, but will try and get it done today and onto the branch.

[bob2517]

This is now on the branch, with a new option of "allow-scripts" for the render command, and the render-after-end, etc. commands.

Example syntax: render: "{$STRING}" allow-scripts;

HTML inside components probably don't allow script tags because of the reasons mentioned above, so would need a use case to warrant adding that in.