> That's all nice & dandy for json. But the "javascript getting executed > solely on server saying so" problem still remains. The fact you had to > change the synchronous request tests is a clear proof of the problem to me: > existing code will break (no issue if documented), existing code will face a > security hole (more problematic to say the least).
I've already documented the change in the new 1.4 API docs. As I said before, the second issue is not any more of an issue then what is already happening with .load() - in fact I would say it's less of an issue then what happens with .load() since XSS attacks are far more likely to occur in raw HTML (which .load() deals with). --John
-- You received this message because you are subscribed to the Google Groups "jQuery Development" group. To post to this group, send email to jquery-...@googlegroups.com. To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.