Permalink
Browse files

Adjust jQuery('html') detection to only match when html starts with '…

…<' (counting space characters). Fixes #11290
  • Loading branch information...
1 parent 286c4d9 commit 239fc86b01d52fd9df6d1963027ed37b4f6251fc timmywil committed Jun 20, 2012
Showing with 3 additions and 6 deletions.
  1. +2 −3 src/core.js
  2. +1 −3 test/unit/core.js
View
@@ -40,9 +40,8 @@ var
trimRight = /\s+$/,
// A simple way to check for HTML strings
- // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
- // Ignore html if within quotes "" '' or brackets/parens [] ()
- rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
+ // If starts-with '<'
+ rhtmlString = /^\s*(<[\w\W]+>)[^>]*$/,
// Match a standalone tag
rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,
View
@@ -27,7 +27,7 @@ test("jQuery()", function() {
div = jQuery("<div/><hr/><code/><b/>"),
exec = false,
long = "",
- expected = 26,
+ expected = 24,
attrObj = {
click: function() { ok( exec, "Click executed." ); },
text: "test",
@@ -132,14 +132,12 @@ test("jQuery()", function() {
elem.remove();
equal( jQuery(" <div/> ").length, 1, "Make sure whitespace is trimmed." );
- equal( jQuery(" a<div/>b ").length, 1, "Make sure whitespace and other characters are trimmed." );
for ( i = 0; i < 128; i++ ) {
long += "12345678";
}
equal( jQuery(" <div>" + long + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
- equal( jQuery(" a<div>" + long + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
});
test("selector state", function() {

16 comments on commit 239fc86

Member

mikesherov replied Jun 20, 2012

How does this effect round-tripping?

var div = $('<div>hi <div>hello</div></div>');
div.html(div.html());
Owner

timmywil replied Jun 20, 2012

It is intentionally more strict and would be a change in behavior for that situation. However, the coming introduction of parseHTML will take care of explicitly generating html.

Member

mikesherov replied Jun 20, 2012

I get it's a change in behavior. Right now on edge, it's causing a syntax error. Please see my fiddle.

Owner

dmethvin replied Jun 20, 2012

It's a syntax error because the string prefixed with "hi ..." is no longer considered to be HTML, which is what the patch is trying to do.

For that particular case you're not really round-tripping the HTML since the outer div is gone and $() has always lost leading/trailing text.

If this seems to abrupt, and I can agree that it might be, I suggest that we leave $(html) untouched (or at least less aggressively neutered, for example allow leading alphanumerics) and only introduce $.parseHTML in 1.8 with the strong warning that people MUST switch over by 1.9 if they want to process random HTML.

Owner

timmywil replied Jun 20, 2012

I'd be alright with that. I guess the question is are there enough cases where this would break to warrant not adding now?

Owner

dmethvin replied Jun 20, 2012

Well if there are, I'm foreseeing a situation like we had in 1.6 with attroperties. If we warn about it now and provide $.parseHTML simultaneously, nobody can say they were not told.

Member

rwaldron replied Jun 20, 2012

Honestly, my concern is that this is too drastic of a change - especially for those that have large systems, plugins etc. /2cents

Owner

timmywil replied Jun 20, 2012

@rwldrn: agreed, I'm working on parseHTML right now. Dave is a little low on time.

Member

mikesherov replied Jun 21, 2012

So to be clear, this change and the previous mod to this regex are being reverted?

Owner

dmethvin replied Jun 21, 2012

Yeah, we're not changing $() behavior in 1.8; instead we'll evangelize and get feedback over the next 6 months and really lock it down in 1.9 if all goes well. The key is to have parseHTML ready so people have a way to explicitly say they are expecting HTML and whether they want it to run scripts.

Sound reasonable, everyone?

Member

rwaldron replied Jun 21, 2012

+1

Member

jaubourg replied Jun 21, 2012

+1

Member

gibson042 replied Jun 21, 2012

+1

Member

Krinkle replied Jun 22, 2012

For the record: Reverted in c20e031.

By the way, this didn't affect .html(), right? I mean setting $foo.html('hello <p></p>'); is completely valid imho. Passing it to $() seems a different case. Although I can imagine both being a potential problem.

Owner

timmywil replied Jun 22, 2012

No, it doesn't affect that.

Please sign in to comment.