Merge pull request #11446 from lerni/scripttype

ENH prevent default type in script tag

_config/mimetypes.yml

@@ -362,7 +362,7 @@ SilverStripe\Control\HTTP:
     jpgm: video/jpm
     jpgv: video/jpeg
     jpm: video/jpm
-    js: application/javascript
+    js: text/javascript
     json: application/json
     jsonml: application/jsonml+json
     kar: audio/midi

src/Control/HTTPResponse.php

@@ -363,7 +363,7 @@ protected function htmlRedirect()
         echo <<<EOT
 <p>Redirecting to <a href="{$urlATT}" title="Click this link if your browser does not redirect you">{$title}</a></p>
 <meta http-equiv="refresh" content="1; url={$urlATT}" />
-<script type="application/javascript">setTimeout(function(){
+<script>setTimeout(function(){
 	window.location.href = "{$urlJS}";
 }, 50);</script>
 EOT

src/Security/CMSSecurity.php

@@ -133,7 +133,7 @@ protected function redirectToExternalLogin()
 <!DOCTYPE html>
 <html><body>
 $message
-<script type="application/javascript">
+<script>
 setTimeout(function(){top.location.href = "$loginURLJS";}, 0);
 </script>
 </body></html>

src/Security/MemberAuthenticator/CMSLoginHandler.php

@@ -90,7 +90,7 @@ protected function redirectToChangePassword()
 <!DOCTYPE html>
 <html><body>
 $message
-<script type="application/javascript">
+<script>
 setTimeout(function(){top.location.href = "$changePasswordURLJS";}, 0);
 </script>
 </body></html>

src/View/Requirements_Backend.php

@@ -810,7 +810,7 @@ public function includeInHTML($content)
         foreach ($this->getJavascript() as $file => $attributes) {
             // Build html attributes
             $htmlAttributes = [
-                'type' => isset($attributes['type']) ? $attributes['type'] : "application/javascript",
+                'type' => isset($attributes['type']) ? $attributes['type'] : null,
                 'src' => $this->pathForFile($file),
             ];
             if (!empty($attributes['async'])) {
@@ -832,7 +832,7 @@ public function includeInHTML($content)
         // Add all inline JavaScript *after* including external files they might rely on
         foreach ($this->getCustomScripts() as $key => $script) {
             // Build html attributes
-            $customHtmlAttributes = ['type' => 'application/javascript'];
+            $customHtmlAttributes = [];
             if (isset($this->customScriptAttributes[$key])) {
                 foreach ($this->customScriptAttributes[$key] as $attrKey => $attrValue) {
                     $customHtmlAttributes[$attrKey] = $attrValue;

tests/php/Core/ConvertTest.php

@@ -102,7 +102,7 @@ public function testHtml2raw()
             'Strong tags with attributes are replaced with asterisks'
         );
 
-        $val3 = '<script type="application/javascript">Some really nasty javascript here</script>';
+        $val3 = '<script>Some really nasty javascript here</script>';
         $this->assertEquals(
             '',
             Convert::html2raw($val3),
@@ -116,7 +116,7 @@ public function testHtml2raw()
             'Style tags are completely removed'
         );
 
-        $val5 = "<script type=\"application/javascript\">Some really nasty\nmultiline javascript here</script>";
+        $val5 = "<script>Some really nasty\nmultiline javascript here</script>";
         $this->assertEquals(
             '',
             Convert::html2raw($val5),

tests/php/View/RequirementsTest.php

@@ -392,7 +392,7 @@ public function testCustomType()
             $result
         );
         $this->assertMatchesRegularExpression(
-            '#<script type="application/javascript" src=".*/javascript/RequirementsTest_b.js#',
+            '#<script src=".*/javascript/RequirementsTest_b.js#',
             $result
         );
     }
@@ -1070,7 +1070,7 @@ public function testCommentedOutScriptTagIsIgnored()
         $urlSrc = $urlGenerator->urlForResource($src);
         $this->assertEquals(
             '<html><head></head><body><!--<script>alert("commented out");</script>-->'
-            . '<h1>more content</h1><script type="application/javascript" src="' . $urlSrc
+            . '<h1>more content</h1><script src="' . $urlSrc
             . "\"></script>\n</body></html>",
             $html
         );
@@ -1094,8 +1094,8 @@ public function testForceJsToBottom()
         $template = '<html><head></head><body><header>My header</header><p>Body<script></script></p></body></html>';
 
         // The expected outputs
-        $expectedScripts = "<script type=\"application/javascript\" src=\"http://www.mydomain.com/test.js\"></script>\n"
-            . "<script type=\"application/javascript\">//<![CDATA[\n"
+        $expectedScripts = "<script src=\"http://www.mydomain.com/test.js\"></script>\n"
+            . "<script>//<![CDATA[\n"
             . "var globalvar = {\n\tpattern: '\\\\\$custom\\\\1'\n};\n"
             . "//]]></script>\n";
         $JsInHead = "<html><head>$expectedScripts</head><body><header>My header</header><p>Body<script></script></p></body></html>";
@@ -1407,7 +1407,7 @@ public function testSriAttributes()
 
         /* Javascript has correct attributes */
         $this->assertMatchesRegularExpression(
-            '#<script type="application/javascript" src=".*/javascript/RequirementsTest_a.js.*" integrity="abc" crossorigin="use-credentials"#',
+            '#<script src=".*/javascript/RequirementsTest_a.js.*" integrity="abc" crossorigin="use-credentials"#',
             $html,
             'javascript has correct sri attributes'
         );
@@ -1454,14 +1454,14 @@ public function testUniquenessID()
         );
 
         $this->assertDoesNotMatchRegularExpression(
-            "#<script type=\"application/javascript\">//<!\[CDATA\[\s*Do Not Display\s*//\]\]></script>#s",
+            "#<script>//<!\[CDATA\[\s*Do Not Display\s*//\]\]></script>#s",
             $html,
             'customScript is correctly not displaying original write'
         );
 
         /* customScriptWithAttributes is overwritten by customScript */
         $this->assertMatchesRegularExpression(
-            "#<script type=\"application/javascript\">//<!\[CDATA\[\s*Override\s*//\]\]></script>#s",
+            "#<script>//<!\[CDATA\[\s*Override\s*//\]\]></script>#s",
             $html,
             'customScript is displaying latest write and clearing attributes'
         );