Script Tags Blocked in Dynamically Created Components

You can no longer add a <script> tag to a component dynamically created by $A.createComponent() or $A.createComponents(). This restriction is not new for components but we did not enforce this restriction for dynamically created components. In Spring ’19, we closed that security vulnerability.

Where: This change applies to orgs with Lightning components in Lightning Experience, Salesforce Classic, and all versions of the Salesforce app.

How: To reference a JavaScript library, you must upload it as a static resource, and use a <ltng:require> tag to reference it in your .cmp or .app markup.

You can still add a <script> tag to an application’s template, which is a special type of component that extends aura:template.