为什么浏览器不运行<脚本>在通过 fetch API 检索的 HTML 片段中?

2022-01-20 00:00:00 fetch javascript

我正在尝试使用 fetch API 获取 HTML 片段,然后将其添加到 HTML 页面.虽然这适用于 HTML 内容,但我注意到如果我在片段中放置一个 <script> 标记,该标记不会被剥离,但它也不会被执行.

I was experimenting with getting a fragment of HTML using the fetch API, and then adding it to an HTML page. While this works fine for HTML content, I noticed that if I put a <script> tag in the fragment, the tag isn't stripped out, but it also isn't executed.

下面是一个例子.我希望 alert 会触发,但它不会触发,即使脚本标记出现在页面上.

Below is an example. I would expect the alert to fire, but it doesn't, even though the script tag appears on the page.

我的问题是 (1) 为什么 <script> 没有得到评估,以及 (2) 有没有办法让它评估?

My questions are (1) why does the <script> not get evaluated, and (2) is there a way to make it evaluate?

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>Index</title>
  </head>
  <body>
    <script src="main.js"></script>
  </body>
</html>

fragment.html

<h1>Hello</h1>
<p>It works</p>
<script>
  alert('hello') // doesn't work, but script still appears on page
</script>

main.js

fetch('fragment.html').then((res)=>{
  return res.text()
}).then((data)=>{
  var div = document.createElement('div')
  div.innerHTML = data
  document.body.appendChild(div)
})

推荐答案

因为这就是 HTML 规范规定:

使用innerHTML 插入的脚本元素在被插入时不会执行插入.

script elements inserted using innerHTML do not execute when they are inserted.

我在这里做出假设,但可能是为了引入一层安全性,这样您就不会意外引入 XSS 或 代码注入.

I'm making assumptions here, but it's probably to introduce a layer of security so that you don't accidentally introduce XSS or code injection.

如果你想让脚本运行,获取它们的内容,创建一个特定的 <script> 元素,将脚本的主体设置为内容,然后将其插入到 DOM 中:

If you want to get the scripts to run, take their content, create a specific <script> element, set the script's body to the content, and then insert that into the DOM:

const script = document.createElement("script"),
  text = document.createTextNode("console.log('foo')");

script.appendChild(text);
document.body.appendChild(script);

相关文章