NotificationsYou must be signed in to change notification settings
Fork20.6k
Star59.5k

Commit2f8f39e

authored

Manipulation: Don't remove HTML comments from scripts

When evaluating scripts, jQuery strips out the possible wrapping HTML commentand a CDATA section. However, all supported browsers are already doing thatwhen loading JS via appending a script tag to the DOM which is how we've beendoing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.it just stripped the `` markers, respectively at the beginning orthe end of the script contents. However, browsers are also stripping everythingfollowing those markers in the same line, treating them as single-line commentsdelimiters; this is now also mandated by ECMAScript 2015 in Annex B. Insteadof fixing the jQuery logic, just let the browser do its thing.We also used to strip CDATA sections. However, this shouldn't be needed as inXML documents they're already not visible when inspecting element contents andin HTML documents they have no meaning. We've preserved that behavior forbackwards compatibility in 3.x but we're removing it for 4.0.Fixesgh-4904Closesgh-4906

1 parent0f623fd commit2f8f39eCopy full SHA for 2f8f39e

File tree

3 files changed

+22

-12

lines changed

src
- manipulation.js
test
- data
  - cleanScript.html
- unit
  - manipulation.js

3 files changed

+22

-12

lines changed

`‎src/manipulation.js`

Lines changed: 2 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,9 +25,7 @@ var`
`25`	`25`
`26`	`26`	`// Support: IE <=10 - 11+`
`27`	`27`	`// In IE using regex groups here causes severe slowdowns.`
`28`		`-rnoInnerhtml=/<script\|<style\|<link/i,`
`29`		`-`
`30`		`-rcleanScript=/^\s<!(?:\[CDATA\[\|--)\|(?:\]\]\|--)>\s$/g;`
	`28`	`+rnoInnerhtml=/<script\|<style\|<link/i;`
`31`	`29`
`32`	`30`	`// Prefer a tbody over its parent table for containing new rows`
`33`	`31`	`functionmanipulationTarget(elem,content){`
`@@ -161,7 +159,7 @@ function domManip( collection, args, callback, ignored ) {`
`161`	`159`	`},doc);`
`162`	`160`	`}`
`163`	`161`	`}else{`
`164`		`-DOMEval(node.textContent.replace(rcleanScript,""),node,doc);`
	`162`	`+DOMEval(node.textContent,node,doc);`
`165`	`163`	`}`
`166`	`164`	`}`
`167`	`165`	`}`

`‎test/data/cleanScript.html`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`-->`
`5`	`5`	`</script>`
`6`	`6`	`<script>`
`7`		`-<![CDATA[`
	`7`	`+<!--//--><![CDATA[//><!--`
`8`	`8`	`QUnit.assert.ok(true,"script within CDATA executed");`
`9`		`-]]>`
	`9`	`+//--><!]]>`
`10`	`10`	`</script>`

`‎test/unit/manipulation.js`

Lines changed: 18 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -2233,19 +2233,31 @@ QUnit.test( "domManip executes scripts containing html comments or CDATA (trac-9`
`2233`	`2233`	`"</script>"`
`2234`	`2234`	`].join("\n")).appendTo("#qunit-fixture");`
`2235`	`2235`
	`2236`	`+// This test requires XHTML mode as CDATA is not recognized in HTML.`
	`2237`	`+// jQuery( [`
	`2238`	`+// "<script type='text/javascript'>",`
	`2239`	`+// "<![CDATA[",`
	`2240`	`+// "QUnit.assert.ok( true, '<![CDATA[ handled' );",`
	`2241`	`+// "//]]>",`
	`2242`	`+// "</script>"`
	`2243`	`+// ].join( "\n" ) ).appendTo( "#qunit-fixture" );`
	`2244`	`+`
`2236`	`2245`	`jQuery([`
`2237`	`2246`	`"<script type='text/javascript'>",`
`2238`		`-"<![CDATA[",`
`2239`		`-"QUnit.assert.ok( true, '<![CDATA[ handled' );",`
`2240`		`-"//]]>",`
	`2247`	`+"<!--//--><![CDATA[//><!--",`
	`2248`	`+"QUnit.assert.ok( true, '<!--//--><![CDATA[//><!-- (Drupal case) handled' );",`
	`2249`	`+"//--><!]]>",`
`2241`	`2250`	`"</script>"`
`2242`	`2251`	`].join("\n")).appendTo("#qunit-fixture");`
`2243`	`2252`
	`2253`	+// ES2015 in Annex B requires HTML-style comment delimiters (`<!--` & `-->`) to act as
	`2254`	+// single-line comment delimiters; i.e. they should be treated as `//`.
	`2255`	`+// See gh-4904`
`2244`	`2256`	`jQuery([`
`2245`	`2257`	`"<script type='text/javascript'>",`
`2246`		`-"<!--//--><![CDATA[//><!--",`
`2247`		`-"QUnit.assert.ok( true, '<!--//--><![CDATA[//><!-- (Drupal case) handled' );",`
`2248`		`-"//--><!]]>",`
	`2258`	`+"<!-- Same-line HTML comment",`
	`2259`	`+"QUnit.assert.ok( true, '<!-- Same-line HTML comment' );",`
	`2260`	`+"-->",`
`2249`	`2261`	`"</script>"`
`2250`	`2262`	`].join("\n")).appendTo("#qunit-fixture");`
`2251`	`2263`	`});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2f8f39e

File tree

3 files changed

3 files changed

`‎src/manipulation.js`

`‎test/data/cleanScript.html`

`‎test/unit/manipulation.js`

0 commit comments