Permalink
Browse files

Fixes #9221. Wraps openings of html comments and CDATA blocks found a…

…t the beginning of inserted script elements into a javascript block comment so that the new implementation of globalEval will not throw an exception in IE (execScript being less lenient than eval). Unit tests added.
  • Loading branch information...
1 parent 3a1c27b commit 391398cf23603201f63c6e815a287e0cb107988c @jaubourg jaubourg committed May 11, 2011
Showing with 22 additions and 3 deletions.
  1. +3 −2 src/manipulation.js
  2. +19 −1 test/unit/manipulation.js
View
@@ -10,6 +10,7 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
// checked="checked" or checked
rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i,
rscriptType = /\/(java|ecma)script/i,
+ rcleanScript = /^\s*<!(?:\[CDATA\[|\-\-)/,
wrapMap = {
option: [ 1, "<select multiple='multiple'>", "</select>" ],
legend: [ 1, "<fieldset>", "</fieldset>" ],
@@ -500,7 +501,7 @@ jQuery.each({
function getAll( elem ) {
if ( "getElementsByTagName" in elem ) {
return elem.getElementsByTagName( "*" );
-
+
} else if ( "querySelectorAll" in elem ) {
return elem.querySelectorAll( "*" );
@@ -738,7 +739,7 @@ function evalScript( i, elem ) {
dataType: "script"
});
} else {
- jQuery.globalEval( elem.text || elem.textContent || elem.innerHTML || "" );
+ jQuery.globalEval( ( elem.text || elem.textContent || elem.innerHTML || "" ).replace( rcleanScript, "/*$0*/" ) );
}
if ( elem.parentNode ) {
View
@@ -1044,7 +1044,7 @@ test("clone(form element) (Bug #3879, #6655)", function() {
equals( clone.is(":checked"), element.is(":checked"), "Checked input cloned correctly" );
equals( clone[0].defaultValue, "foo", "Checked input defaultValue cloned correctly" );
-
+
// defaultChecked also gets set now due to setAttribute in attr, is this check still valid?
// equals( clone[0].defaultChecked, !jQuery.support.noCloneChecked, "Checked input defaultChecked cloned correctly" );
@@ -1396,3 +1396,21 @@ test("jQuery.buildFragment - no plain-text caching (Bug #6779)", function() {
equals($f.text(), bad.join(""), "Cached strings that match Object properties");
$f.remove();
});
+
+test( "jQuery.html - execute scripts escaped with html comment or CDATA (#9221)", function() {
+ expect( 2 );
+ jQuery( [
+ '<script type="text/javascript">',
+ '<!--',
+ 'ok( true, "<!-- handled" );',
+ '//-->',
+ '</script>'
+ ].join ( "\n" ) ).appendTo( "#qunit-fixture" );
+ jQuery( [
+ '<script type="text/javascript">',
+ '<![CDATA[',
+ 'ok( true, "<![CDATA[ handled" );',
+ '//]]>',
+ '</script>'
+ ].join ( "\n" ) ).appendTo( "#qunit-fixture" );
+});

3 comments on commit 391398c

Member

jeresig replied May 11, 2011

I'm confused by this commit. Why would someone comment out the last line of the comment but not the first one? What's the use case here? And is this really important enough to land post-RC?

Member

jaubourg replied May 11, 2011

Apparently, every browser we support do allow an opening html comment at the start of inline script tags, exemplified by the fact it worked in 1.5.2 when we were still using script tag injection. Sadly, this feature is popular enough to have a library like Drupal use it.

If you want to revert it, feel free to do it, but it's clearly a regression, it breaks a major PHP library, it's actually a bug since what we were doing with scripts in 1.6.0 wasn't symetric with what the browsers do. Thought it was perfectly into the boundaries between a RC and a release.

Member

jdalton replied May 11, 2011

Oh yea! That's another reason script injection was awesome, easy xbrowser support for both comment styles in the code. This continues to bite Prototype, it seems some security software would also wrap some ajax responses.

Please sign in to comment.