Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitd23a95f

Browse files
fhembergermarkelog
authored andcommitted
Core: use document.implemenation.createHTMLDocument in jQuery.parseHTML
Closegh-1505
1 parent1704cd7 commitd23a95f

File tree

5 files changed

+39
-3
lines changed

5 files changed

+39
-3
lines changed

‎src/core.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ define([
77
"./var/class2type",
88
"./var/toString",
99
"./var/hasOwn",
10-
"./var/support"
10+
"./core/support"
1111
],function(arr,slice,concat,push,indexOf,class2type,toString,hasOwn,support){
1212

1313
var

‎src/core/parseHTML.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ define([
22
"../core",
33
"./var/rsingleTag",
44
"../manipulation"// buildFragment
5-
],function(jQuery,rsingleTag){
5+
],function(jQuery,rsingleTag,support){
66

77
// data: string of html
88
// context (optional): If specified, the fragment will be created in this context,
@@ -16,7 +16,11 @@ jQuery.parseHTML = function( data, context, keepScripts ) {
1616
keepScripts=context;
1717
context=false;
1818
}
19-
context=context||document;
19+
// document.implementation stops scripts or inline event handlers from
20+
// being executed immediately
21+
context=context||(support.createHTMLDocument ?
22+
document.implementation.createHTMLDocument() :
23+
document);
2024

2125
varparsed=rsingleTag.exec(data),
2226
scripts=!keepScripts&&[];

‎src/core/support.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
define([
2+
"../var/support"
3+
],function(jQuery,support){
4+
// window.document is used here as it's before the sandboxed document
5+
support.createHTMLDocument=!!window.document.implementation.createHTMLDocument;
6+
});

‎test/unit/core.js

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1349,6 +1349,24 @@ test("jQuery.parseHTML", function() {
13491349
ok(jQuery.parseHTML("<#if><tr><p>This is a test.</p></tr><#/if>")||true,"Garbage input should not cause error");
13501350
});
13511351

1352+
// This XSS test is optional, as it will only pass when `document.implementation.createHTMLDocument`
1353+
// is implemented. This might not be the case for older Android browsers (<= 2.x).
1354+
if(document.implementation.createHTMLDocument){
1355+
asyncTest("jQuery.parseHTML",function(){
1356+
expect(1);
1357+
1358+
Globals.register("parseHTMLError");
1359+
1360+
jQuery.globalEval("parseHTMLError = false;");
1361+
jQuery.parseHTML("<img src=x onerror='parseHTMLError = true'>");
1362+
1363+
window.setTimeout(function(){
1364+
start();
1365+
equal(window.parseHTMLError,false,"onerror eventhandler has not been called.");
1366+
},2000);
1367+
});
1368+
}
1369+
13521370
test("jQuery.parseJSON",function(){
13531371
expect(20);
13541372

‎test/unit/support.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
6161
"checkOn":true,
6262
"clearCloneStyle":true,
6363
"cors":true,
64+
"createHTMLDocument":true,
6465
"focusinBubbles":false,
6566
"noCloneChecked":true,
6667
"optDisabled":true,
@@ -77,6 +78,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
7778
"checkOn":true,
7879
"clearCloneStyle":false,
7980
"cors":true,
81+
"createHTMLDocument":true,
8082
"focusinBubbles":true,
8183
"noCloneChecked":false,
8284
"optDisabled":true,
@@ -93,6 +95,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
9395
"checkOn":true,
9496
"clearCloneStyle":false,
9597
"cors":false,
98+
"createHTMLDocument":true,
9699
"focusinBubbles":true,
97100
"noCloneChecked":false,
98101
"optDisabled":true,
@@ -109,6 +112,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
109112
"checkOn":true,
110113
"clearCloneStyle":true,
111114
"cors":true,
115+
"createHTMLDocument":true,
112116
"focusinBubbles":false,
113117
"noCloneChecked":true,
114118
"optDisabled":true,
@@ -125,6 +129,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
125129
"checkOn":true,
126130
"clearCloneStyle":true,
127131
"cors":true,
132+
"createHTMLDocument":true,
128133
"focusinBubbles":false,
129134
"noCloneChecked":true,
130135
"optDisabled":true,
@@ -141,6 +146,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
141146
"checkOn":true,
142147
"clearCloneStyle":true,
143148
"cors":true,
149+
"createHTMLDocument":true,
144150
"focusinBubbles":false,
145151
"noCloneChecked":true,
146152
"optDisabled":true,
@@ -157,6 +163,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
157163
"checkOn":false,
158164
"clearCloneStyle":true,
159165
"cors":true,
166+
"createHTMLDocument":true,
160167
"focusinBubbles":false,
161168
"noCloneChecked":true,
162169
"optDisabled":true,
@@ -173,6 +180,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
173180
"checkOn":false,
174181
"clearCloneStyle":false,
175182
"cors":true,
183+
"createHTMLDocument":true,
176184
"focusinBubbles":false,
177185
"noCloneChecked":true,
178186
"optDisabled":false,

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp