Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit58c2460

Browse files
fhembergertimmywil
authored andcommitted
Core: use document.implemenation.createHTMLDocument in jQuery.parseHTML
Closegh-1505
1 parent43faf6d commit58c2460

File tree

5 files changed

+39
-3
lines changed

5 files changed

+39
-3
lines changed

‎src/core.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ define([
77
"./var/class2type",
88
"./var/toString",
99
"./var/hasOwn",
10-
"./var/support"
10+
"./core/support"
1111
],function(arr,slice,concat,push,indexOf,class2type,toString,hasOwn,support){
1212

1313
var

‎src/core/parseHTML.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ define([
22
"../core",
33
"./var/rsingleTag",
44
"../manipulation"// buildFragment
5-
],function(jQuery,rsingleTag){
5+
],function(jQuery,rsingleTag,support){
66

77
// data: string of html
88
// context (optional): If specified, the fragment will be created in this context,
@@ -16,7 +16,11 @@ jQuery.parseHTML = function( data, context, keepScripts ) {
1616
keepScripts=context;
1717
context=false;
1818
}
19-
context=context||document;
19+
// document.implementation stops scripts or inline event handlers from
20+
// being executed immediately
21+
context=context||(support.createHTMLDocument ?
22+
document.implementation.createHTMLDocument() :
23+
document);
2024

2125
varparsed=rsingleTag.exec(data),
2226
scripts=!keepScripts&&[];

‎src/core/support.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
define([
2+
"../var/support"
3+
],function(jQuery,support){
4+
// window.document is used here as it's before the sandboxed document
5+
support.createHTMLDocument=!!window.document.implementation.createHTMLDocument;
6+
});

‎test/unit/core.js

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1367,6 +1367,24 @@ test("jQuery.parseHTML", function() {
13671367
ok(jQuery.parseHTML("<#if><tr><p>This is a test.</p></tr><#/if>")||true,"Garbage input should not cause error");
13681368
});
13691369

1370+
// This XSS test is optional, as it will only pass when `document.implementation.createHTMLDocument`
1371+
// is implemented. This might not be the case for older Android browsers (<= 2.x).
1372+
if(document.implementation.createHTMLDocument){
1373+
asyncTest("jQuery.parseHTML",function(){
1374+
expect(1);
1375+
1376+
Globals.register("parseHTMLError");
1377+
1378+
jQuery.globalEval("parseHTMLError = false;");
1379+
jQuery.parseHTML("<img src=x onerror='parseHTMLError = true'>");
1380+
1381+
window.setTimeout(function(){
1382+
start();
1383+
equal(window.parseHTMLError,false,"onerror eventhandler has not been called.");
1384+
},2000);
1385+
});
1386+
}
1387+
13701388
test("jQuery.parseJSON",function(){
13711389
expect(20);
13721390

‎test/unit/support.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
6161
"checkOn":true,
6262
"clearCloneStyle":true,
6363
"cors":true,
64+
"createHTMLDocument":true,
6465
"focusinBubbles":false,
6566
"noCloneChecked":true,
6667
"optDisabled":true,
@@ -77,6 +78,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
7778
"checkOn":true,
7879
"clearCloneStyle":false,
7980
"cors":true,
81+
"createHTMLDocument":true,
8082
"focusinBubbles":true,
8183
"noCloneChecked":false,
8284
"optDisabled":true,
@@ -93,6 +95,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
9395
"checkOn":true,
9496
"clearCloneStyle":false,
9597
"cors":false,
98+
"createHTMLDocument":true,
9699
"focusinBubbles":true,
97100
"noCloneChecked":false,
98101
"optDisabled":true,
@@ -109,6 +112,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
109112
"checkOn":true,
110113
"clearCloneStyle":true,
111114
"cors":true,
115+
"createHTMLDocument":true,
112116
"focusinBubbles":false,
113117
"noCloneChecked":true,
114118
"optDisabled":true,
@@ -125,6 +129,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
125129
"checkOn":true,
126130
"clearCloneStyle":true,
127131
"cors":true,
132+
"createHTMLDocument":true,
128133
"focusinBubbles":false,
129134
"noCloneChecked":true,
130135
"optDisabled":true,
@@ -141,6 +146,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
141146
"checkOn":true,
142147
"clearCloneStyle":true,
143148
"cors":true,
149+
"createHTMLDocument":true,
144150
"focusinBubbles":false,
145151
"noCloneChecked":true,
146152
"optDisabled":true,
@@ -157,6 +163,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
157163
"checkOn":false,
158164
"clearCloneStyle":true,
159165
"cors":true,
166+
"createHTMLDocument":true,
160167
"focusinBubbles":false,
161168
"noCloneChecked":true,
162169
"optDisabled":true,
@@ -173,6 +180,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
173180
"checkOn":false,
174181
"clearCloneStyle":false,
175182
"cors":true,
183+
"createHTMLDocument":true,
176184
"focusinBubbles":false,
177185
"noCloneChecked":true,
178186
"optDisabled":false,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp