If I remember correctly, IE will not execute a script that is ‘imported’ by using the DOM to create it

Because even though your focus is on the javascript regexp,
I can’t but notice that you’re XHR-ing a document with a
script tag, and parse it to extract and execute the javascript.

I’m using your forum software for a (pretty big gaming) hobby
site, but I’m also doing (core) quality assurance for a browser
company, and one of my responsibilities is javascript.

And so my second thought was: NO! PLEASE DON’T DO THAT!

- If you want to **load pages** into your webpage, use iframes.
- If you want to include scripts, then include the script.

I can’t really see any good use cases where you’d want to XHR
a document, and have it’s javascript execute. XHR is for loading
new data, not new business logic.

And was it Rasmus that said about php “when eval() is the answer,
you’re asking the wrong question”? Anyway, it pretty much holds
for javascript as well.

If you load a page from your own server, then you should be able
to split the data into nicely separated entities, and serve them
to your XHR script using xml (and CDATA).

If you’re loading a page from a server you’r not controlling, you’re
open wide to a wide range of XSS attacks, which is really, really bad.

*** Slightly off topic ***
And come to think of it, that’s just as bad as allowing html, xml and
css uploads to IPB by default. You really should not! Most forum admins
have noe idea what XSS is, and will not think of disabling html attachments.
But allowing them is that same as giving any user with upload rights the
ability to highjack any other users’ accounts, by having them viewing the
attachment.

It’s also good practice to store your uploads on a different domain than
the one serving the content. Luckily IPB supports that with it’s “Upload URL”
setting. But again, most people don’t know anything about XSS, and why
they should do this. And most people don’t have full control of multiple domains
to play around with either. So uploading anything that is executed by the
browser, that may contain javascript, is a bad thing to have as an “opt out”.
It should be an “opt in”.

This should also have been properly explained in ACP by my taste.
*** Back on topic ***

Anyway, if you really want to load scripts using XHR, and eval them,
the least thing you should do, is to serve them as XML, so you don’t
need to parse the document for script tags.

This is a small example of how to import a script during runtime:

test.html:
<!DOCTYPE html>
<html>
<head>
<script type=”text/javascript”>
document.onload = function() {
   var s = document.createElement(’script’);
   s.setAttribute(‘type’,'text/javascript’);
   s.setAttribute(’src’, ’imported.js’);
   document.body.appendChild(s);
   helloWorld();
}
</script>
</head>
<body>

</body>
</html>

imported.js:
/* Run automatically at import: */
(function() {
   var div = document.createElement(‘div’);
   div.appendChild(document.createTextNode(‘External javascript imported.’));
   document.body.appendChild(div);
})()

/* Run when called: */
function helloWorld() {
   var div = document.createElement(‘div’);
   div.appendChild(document.createTextNode(‘Function in imported javascript ran.’));
   document.body.appendChild(div);
}

The script “imported.js” could of course be dynamically generated based
on a query string, so you could use just one javascript serving script
to generate all your “run time imported” javascript code.

Wow, this became much longer than anticipated. Oh well, hard drives and bandwidth are cheap these days

The “s” modifier will treat the string as a single line and thus matches new line characters when using “.” too.

You are correct, there is a multiline modifier which is “m”

Not sure if my other comment got through, I keep getting an error “No entry_id”.

I can’t quite remember which one it is, but looking briefly at some of my code tells me it’s either “s” or “m”.