buildFragment does not wrap html when elem starts with SCRIPT tag about jquery HOT 4 CLOSED

The only elements allowed inside a TR are TD or TH. Anything else is invalid markup.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/tr#technical_summary

For a string that is valid markup, jQuery would have created valid DOM elements for it. So now it's a question of how invalid markup should be handled, which is often not very well defined. I don't know if this is covered in a spec.

At least for a recent Chrome, it appears that any invalid element that has content and appears in a TR is effectively converted to a TD even if you use DOM methods.
https://jsfiddle.net/rbzkt239/

Again in Chrome, non-content elements like SCRIPT and LINK don't create a TD. Since the DOM methods don't execute embedded scripts like jQuery, it's not quite the same.
https://jsfiddle.net/7sxwdmk0/

Is the script supposed to be executed in this case? If so, does the ajaxResponse injection assume you're using jQuery?

from jquery.

So now it's a question of how invalid markup should be handled

That's not for me to say, so I won't go into that.

All I notice, is that SCRIPT tag inside a TR does appear to work in both Firefox and Edge (didn't check any other browser).

Is the script supposed to be executed in this case?

Yes. It is a cookie being set by a "WebSeal" server that handles security matters (authentication, authorization).

If so, does the ajaxResponse injection assume you're using jQuery?

It does not (and can't as it is supposed to work with any text/html response (regardless of whether jQuery is used or not).

from jquery.

The only way it would work without jQuery is if the browser loaded the response as a complete web page.

With jQuery, injecting a script works: https://jsfiddle.net/c0r9y4vd/

Without jQuery, it does not: https://jsfiddle.net/7sxwdmk0/

You might want to check with the WebSeal group or documentation and see what their advice is for implementing AJAX requests. The mentions I could find seem to indicate this is very old tech, so if it's a problem I'm surprised it hasn't come up before: https://serverfault.com/questions/47148/reverse-proxies-and-ajax

I'll leave it to the team as to whether a scenario like this should be supported.

from jquery.

Thanks for opening an issue. We discussed in the meeting. This falls under when you give unexpected input, you'll get unexpected output. While it's admittedly strange that the TDs are lost, the script tag is invalid. Besides, we'd prefer not to build in special case logic for things like this because it would never end.

However, if you know the response might be weird, the script could instead be appended separately with .append(...ajaxResponse.match(/^<script.*?<\/script>|.+/gis)).

from jquery.