Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4250b62

Browse files
authored
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breakstrusted types enforcement when setting a script `src` attribute.Note that this doesn't mean script execution works. Since jQuery disables allscripts by changing their type and then executes them by creating fresh scripttags with proper `src` & possibly other attributes, this unwraps any trusted`src` wrappers, making the script not execute under strict CSP settings.We might try to fix it in the future in a separate change.Fixesgh-4948Closesgh-4949
1 parent4fd6912 commit4250b62

File tree

6 files changed

+97
-1
lines changed

6 files changed

+97
-1
lines changed

‎src/attributes/attr.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ jQuery.extend( {
5050
returnret;
5151
}
5252

53-
elem.setAttribute(name,value+"");
53+
elem.setAttribute(name,value);
5454
returnvalue;
5555
}
5656

‎test/data/mock.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -247,6 +247,12 @@ protected function trustedHtml( $req ) {
247247
echofile_get_contents(__DIR__ .'/trusted-html.html' );
248248
}
249249

250+
protectedfunctiontrustedTypesAttributes($req ) {
251+
header("Content-Security-Policy: require-trusted-types-for 'script'; report-uri ./mock.php?action=cspLog" );
252+
header('Content-type: text/html' );
253+
echofile_get_contents(__DIR__ .'/trusted-types-attributes.html' );
254+
}
255+
250256
protectedfunctionerrorWithScript($req ) {
251257
header('HTTP/1.0 404 Not Found' );
252258
if (isset($req->query['withScriptContentType'] ) ) {
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
<!DOCTYPE html>
2+
<html>
3+
<head>
4+
<metacharset=utf-8/>
5+
<title>Trusted HTML attribute tests</title>
6+
</head>
7+
<body>
8+
<divid="qunit-fixture"></div>
9+
<scriptsrc="../../dist/jquery.js"></script>
10+
<scriptsrc="iframeTest.js"></script>
11+
<script>
12+
vari,input,elem,policy,
13+
results=[];
14+
15+
functionrunTests(messagePrefix,getTrustedScriptUrlWrapper){
16+
try{
17+
elem=jQuery("<script><\/script>")
18+
.attr("src",getTrustedScriptUrlWrapper("trusted-types-attributes.js"));
19+
elem.appendTo(document.body);
20+
21+
results.push({
22+
actual:elem.attr("src"),
23+
expected:"trusted-types-attributes.js",
24+
message:messagePrefix+": script URL properly set"
25+
});
26+
}catch(e){
27+
results.push({
28+
actual:"error thrown",
29+
expected:"",
30+
message:messagePrefix+": error has been thrown"
31+
});
32+
}
33+
}
34+
35+
if(typeoftrustedTypes!=="undefined"){
36+
policy=trustedTypes.createPolicy("jquery-test-policy",{
37+
createScriptURL:function(html){
38+
returnhtml;
39+
}
40+
});
41+
42+
runTests("TrustedScriptURL",functionwrapInTrustedScriptUrl(input){
43+
returnpolicy.createScriptURL(input);
44+
});
45+
}else{
46+
47+
// No TrustedScriptURL support so let's at least run tests with object wrappers
48+
// with a proper `toString` function. See trusted-html.html for more context.
49+
runTests("Object wrapper",function(input){
50+
return{
51+
toString:functiontoString(){
52+
returninput;
53+
}
54+
};
55+
});
56+
}
57+
58+
startIframeTest(results);
59+
</script>
60+
</body>
61+
</html>

‎test/data/trusted-types-attributes.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
window.testMessage="script run";

‎test/middleware-mockserver.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,14 @@ var mocks = {
264264
varbody=fs.readFileSync(__dirname+"/data/trusted-html.html").toString();
265265
resp.end(body);
266266
},
267+
trustedTypesAttributes:function(req,resp){
268+
resp.writeHead(200,{
269+
"Content-Type":"text/html",
270+
"Content-Security-Policy":"require-trusted-types-for 'script'; report-uri /base/test/data/mock.php?action=cspLog"
271+
});
272+
varbody=fs.readFileSync(__dirname+"/data/trusted-types-attributes.html").toString();
273+
resp.end(body);
274+
},
267275
errorWithScript:function(req,resp){
268276
if(req.query.withScriptContentType){
269277
resp.writeHead(404,{"Content-Type":"application/javascript"});

‎test/unit/attributes.js

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1764,3 +1764,23 @@ QUnit.test( "non-lowercase boolean attribute getters should not crash", function
17641764
}
17651765
});
17661766
});
1767+
1768+
1769+
// Test trustedTypes support in browsers where they're supported (currently Chrome 83+).
1770+
// Browsers with no TrustedScriptURL support still run tests on object wrappers with
1771+
// a proper `toString` function.
1772+
testIframe(
1773+
"Basic TrustedScriptURL support (gh-4948)",
1774+
"mock.php?action=trustedTypesAttributes",
1775+
function(assert,jQuery,window,document,test){
1776+
vardone=assert.async();
1777+
1778+
assert.expect(1);
1779+
1780+
test.forEach(function(result){
1781+
assert.deepEqual(result.actual,result.expected,result.message);
1782+
});
1783+
1784+
supportjQuery.get(baseURL+"mock.php?action=cspClean").then(done);
1785+
}
1786+
);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp