Commit9c98e4e

mgol

and

gibson042

authored

Manipulation: Avoid concatenating strings in buildFragment

Concatenating HTML strings in buildFragment is a possible security risk as itcreates an opportunity of escaping the concatenated wrapper. It also makes itimpossible to support secure HTML wrappers like[trusted types](https://web.dev/trusted-types/). It's safer to create wrapperelements using `document.createElement` & `appendChild`.The previous way was needed in jQuery <4 because IE <10 doesn't accept tableparts set via `innerHTML`, even if the element which contents are set isa proper table element, e.g.:```jstr.innerHTML = "<td></td>";```The whole structure needs to be passed in one HTML string. jQuery 4 dropssupport for IE <11 so this is no longer an issue; in older version we'd haveto duplicate the code paths.IE <10 needed to have `<option>` elements wrapped in`<select multiple="multiple">` but we no longer need that on master whichmakes the `document.createElement` way shorter as we don't have to call`setAttribute`.All these improvements, apart from making logic more secure, decrease thegzipped size by 58 bytes.Closesgh-4724Refgh-4409Refangular/angular.js#17028Co-authored-by: Richard Gibson <richard.gibson@gmail.com>

1 parent7a6fae6 commit9c98e4eCopy full SHA for 9c98e4e

File tree

3 files changed

+23

-13

lines changed

src/manipulation
- buildFragment.js
- wrapMap.js
test/unit
- manipulation.js

3 files changed

+23

-13

lines changed

`‎src/manipulation/buildFragment.js`

Lines changed: 8 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`importjQueryfrom"../core.js";`
`2`	`2`	`importtoTypefrom"../core/toType.js";`
`3`	`3`	`importisAttachedfrom"../core/isAttached.js";`
	`4`	`+importarrfrom"../var/arr.js";`
`4`	`5`	`importrtagNamefrom"./var/rtagName.js";`
`5`	`6`	`importrscriptTypefrom"./var/rscriptType.js";`
`6`	`7`	`importwrapMapfrom"./wrapMap.js";`
`@@ -35,15 +36,16 @@ function buildFragment( elems, context, scripts, selection, ignored ) {`
`35`	`36`
`36`	`37`	`// Deserialize a standard representation`
`37`	`38`	`tag=(rtagName.exec(elem)\|\|["",""])[1].toLowerCase();`
`38`		`-wrap=wrapMap[tag]\|\|wrapMap._default;`
`39`		`-tmp.innerHTML=wrap[1]+jQuery.htmlPrefilter(elem)+wrap[2];`
	`39`	`+wrap=wrapMap[tag]\|\|arr;`
`40`	`40`
`41`		`-//Descend throughwrappersto the right content`
`42`		`-j=wrap[0];`
`43`		`-while(j--){`
`44`		`-tmp=tmp.lastChild;`
	`41`	`+//Createwrappers& descend into them.`
	`42`	`+j=wrap.length;`
	`43`	`+while(--j>-1){`
	`44`	`+tmp=tmp.appendChild(context.createElement(wrap[j]));`
`45`	`45`	`}`
`46`	`46`
	`47`	`+tmp.innerHTML=jQuery.htmlPrefilter(elem);`
	`48`	`+`
`47`	`49`	`jQuery.merge(nodes,tmp.childNodes);`
`48`	`50`
`49`	`51`	`// Remember the top-level container`

`‎src/manipulation/wrapMap.js`

Lines changed: 4 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,14 @@`
`1`		`-// We have to close these tags to support XHTML (#13200)`
`2`	`1`	`varwrapMap={`
`3`	`2`
`4`	`3`	// Table parts need to be wrapped with `<table>` or they're
`5`	`4`	`// stripped to their contents when put in a div.`
`6`	`5`	`// XHTML parsers do not magically insert elements in the`
`7`	`6`	`// same way that tag soup parsers do, so we cannot shorten`
`8`	`7`	`// this by omitting <tbody> or other required elements.`
`9`		`-thead:[1,"<table>","</table>"],`
`10`		`-col:[2,"<table><colgroup>","</colgroup></table>"],`
`11`		`-tr:[2,"<table><tbody>","</tbody></table>"],`
`12`		`-td:[3,"<table><tbody><tr>","</tr></tbody></table>"],`
`13`		`-`
`14`		`-_default:[0,"",""]`
	`8`	`+thead:["table"],`
	`9`	`+col:["colgroup","table"],`
	`10`	`+tr:["tbody","table"],`
	`11`	`+td:["tr","tbody","table"]`
`15`	`12`	`};`
`16`	`13`
`17`	`14`	`wrapMap.tbody=wrapMap.tfoot=wrapMap.colgroup=wrapMap.caption=wrapMap.thead;`

`‎test/unit/manipulation.js`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2969,3 +2969,14 @@ QUnit.test( "Sanitized HTML doesn't get unsanitized", function( assert ) {`
`2969`	`2969`	`test("<noembed><noembed/><img src=url404 onerror=xss(12)>");`
`2970`	`2970`	`}`
`2971`	`2971`	`});`
	`2972`	`+`
	`2973`	`+QUnit.test("Works with invalid attempts to close the table wrapper",function(assert){`
	`2974`	`+assert.expect(3);`
	`2975`	`+`
	`2976`	`+// This test case attempts to close the tags which wrap input`
	`2977`	`+// based on matching done in wrapMap which should be ignored.`
	`2978`	`+varelem=jQuery("<td></td></tr></tbody></table><td></td>");`
	`2979`	`+assert.strictEqual(elem.length,2,"Two elements created");`
	`2980`	`+assert.strictEqual(elem[0].nodeName.toLowerCase(),"td","First element is td");`
	`2981`	`+assert.strictEqual(elem[1].nodeName.toLowerCase(),"td","Second element is td");`
	`2982`	`+});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9c98e4e

File tree

3 files changed

3 files changed

`‎src/manipulation/buildFragment.js`

`‎src/manipulation/wrapMap.js`

`‎test/unit/manipulation.js`

0 commit comments