Ensure String#extractScripts and String#evalScripts ignore SCRIPT tags with a type attribute set to a non-JavaScript MIME-type. (Closes prototypejs#304)

Author: savetheclocktower

src/prototype/lang/string.js

@@ -337,9 +337,25 @@ Object.extend(String.prototype, (function() {
   function extractScripts() {
     var matchAll = new RegExp(Prototype.ScriptFragment, 'img'),
         matchOne = new RegExp(Prototype.ScriptFragment, 'im');
-    return (this.match(matchAll) || []).map(function(scriptTag) {
-      return (scriptTag.match(matchOne) || ['', ''])[1];
+    var matchMimeType = new RegExp(Prototype.ExecutableScriptFragment, 'im');
+    var matchTypeAttribute = /type=/i;
+
+    var results = [];
+    (this.match(matchAll) || []).each(function(scriptTag) {
+      var match = scriptTag.match(matchOne);
+      var attributes = match[1];
+      if (attributes !== '') {
+        // If the script has a `type` attribute, make sure it has a
+        // JavaScript MIME-type. If not, ignore it.
+        attributes = attributes.strip();
+        var hasTypeAttribute = (matchTypeAttribute).test(attributes);
+        var hasMimeType = (matchMimeType).test(attributes);
+        if (hasTypeAttribute && !hasMimeType) return;
+      }
+      results.push(match ? match[2] : '');
     });
+
+    return results;
   }
 
   /**

src/prototype/prototype.js

@@ -120,7 +120,8 @@ var Prototype = {
     SpecificElementExtensions: true
   },
 
-  ScriptFragment: '<script[^>]*>([\\S\\s]*?)<\/script\\s*>',
+  ScriptFragment: '<script([^>]*)>([\\S\\s]*?)<\/script\\s*>',
+  ExecutableScriptFragment: /(?:text|application)\/(?:x-)?(?:java|ecma)script/i,
   JSONFilter: /^\/\*-secure-([\s\S]*)\*\/\s*$/,
 
   /**

test/unit/tests/string.test.js

@@ -238,6 +238,9 @@ suite('String', function () {
       ('foo <script>boo();<'+'/script><script type="text/javascript">boo();\nmoo();<'+'/script>bar').extractScripts());
     assert.enumEqual(['boo();','boo();\nmoo();'],
       ('foo <script>boo();<'+'/script>blub\nblub<script type="text/javascript">boo();\nmoo();<'+'/script>bar').extractScripts());
+
+    assert.enumEqual([], ('<' + 'script type="x-something">wat();<' + '/script>').extractScripts());
+    assert.enumEqual(['wat();'], ('<' + 'script type="text/javascript">wat();<' + '/script>').extractScripts());
   });
 
   test('#evalScripts', function () {
@@ -250,6 +253,27 @@ suite('String', function () {
     (3).times(function(){ stringWithScripts += 'foo <script>evalScriptsCounter++<'+'/script>bar' });
     stringWithScripts.evalScripts();
     assert.equal(4, evalScriptsCounter);
+
+   // Other executable MIME-types.
+    ('foo <script type="text/javascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+    ('foo <script type="application/javascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+    ('foo <script type="application/x-javascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+    ('foo <script type="text/x-javascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+    ('foo <script type="application/ecmascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+    ('foo <script type="text/ecmascript">evalScriptsCounter++<'+'/script>bar')
+      .evalScripts();
+
+    assert.equal(10, evalScriptsCounter);
+
+    // a wrong one
+    ('foo <script type="text/x-dot-template">evalScriptsCounter++<'+'/script>bar').evalScripts();
+
+    assert.equal(10, evalScriptsCounter);
   });
 
   test('#escapeHTML', function () {