Permalink
Browse files

Core: use document.implemenation.createHTMLDocument in jQuery.parseHTML

Close gh-1505
  • Loading branch information...
fhemberger authored and timmywil committed Dec 9, 2014
1 parent 43faf6d commit 58c24608210c9a9a264a38746628ebc26823f59b
Showing with 39 additions and 3 deletions.
  1. +1 −1 src/core.js
  2. +6 −2 src/core/parseHTML.js
  3. +6 −0 src/core/support.js
  4. +18 −0 test/unit/core.js
  5. +8 −0 test/unit/support.js
View
@@ -7,7 +7,7 @@ define([
"./var/class2type",
"./var/toString",
"./var/hasOwn",
"./var/support"
"./core/support"
], function( arr, slice, concat, push, indexOf, class2type, toString, hasOwn, support ) {
var
View
@@ -2,7 +2,7 @@ define([
"../core",
"./var/rsingleTag",
"../manipulation" // buildFragment
], function( jQuery, rsingleTag ) {
], function( jQuery, rsingleTag, support ) {
// data: string of html
// context (optional): If specified, the fragment will be created in this context,
@@ -16,7 +16,11 @@ jQuery.parseHTML = function( data, context, keepScripts ) {
keepScripts = context;
context = false;
}
context = context || document;
// document.implementation stops scripts or inline event handlers from
// being executed immediately
context = context || ( support.createHTMLDocument ?
document.implementation.createHTMLDocument() :
document );
var parsed = rsingleTag.exec( data ),
scripts = !keepScripts && [];
View
@@ -0,0 +1,6 @@
define([
"../var/support"
], function( jQuery, support ) {
// window.document is used here as it's before the sandboxed document
support.createHTMLDocument = !!window.document.implementation.createHTMLDocument;
});
View
@@ -1367,6 +1367,24 @@ test("jQuery.parseHTML", function() {
ok( jQuery.parseHTML("<#if><tr><p>This is a test.</p></tr><#/if>") || true, "Garbage input should not cause error" );
});
// This XSS test is optional, as it will only pass when `document.implementation.createHTMLDocument`
// is implemented. This might not be the case for older Android browsers (<= 2.x).
if ( document.implementation.createHTMLDocument ) {
asyncTest("jQuery.parseHTML", function() {
expect ( 1 );
Globals.register("parseHTMLError");
jQuery.globalEval("parseHTMLError = false;");
jQuery.parseHTML( "<img src=x onerror='parseHTMLError = true'>" );
window.setTimeout(function() {
start();
equal( window.parseHTMLError, false, "onerror eventhandler has not been called." );
}, 2000);
});
}
test("jQuery.parseJSON", function() {
expect( 20 );
View
@@ -61,6 +61,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": true,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": true,
@@ -77,6 +78,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": false,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": true,
"noCloneChecked": false,
"optDisabled": true,
@@ -93,6 +95,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": false,
"cors": false,
"createHTMLDocument": true,
"focusinBubbles": true,
"noCloneChecked": false,
"optDisabled": true,
@@ -109,6 +112,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": true,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": true,
@@ -125,6 +129,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": true,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": true,
@@ -141,6 +146,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": true,
"clearCloneStyle": true,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": true,
@@ -157,6 +163,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": false,
"clearCloneStyle": true,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": true,
@@ -173,6 +180,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec
"checkOn": false,
"clearCloneStyle": false,
"cors": true,
"createHTMLDocument": true,
"focusinBubbles": false,
"noCloneChecked": true,
"optDisabled": false,

5 comments on commit 58c2460

@mgol

This comment has been minimized.

Show comment
Hide comment
@mgol

mgol Dec 9, 2014

Member

If support.createHTMLDocument is true everywhere why do we need it? I don't see anything in pull comments.

Also, it seems there are some problems in IE: http://swarm.jquery.org/job/3955

Member

mgol replied Dec 9, 2014

If support.createHTMLDocument is true everywhere why do we need it? I don't see anything in pull comments.

Also, it seems there are some problems in IE: http://swarm.jquery.org/job/3955

@timmywil

This comment has been minimized.

Show comment
Hide comment
@timmywil

timmywil Dec 9, 2014

Member

Good point. I didn't really think about it, just went with the direction the pull was going. We should drop the support test if every browser has it.

Member

timmywil replied Dec 9, 2014

Good point. I didn't really think about it, just went with the direction the pull was going. We should drop the support test if every browser has it.

@timmywil

This comment has been minimized.

Show comment
Hide comment
@timmywil

timmywil Dec 9, 2014

Member

I'm not certain about Android 2.3, tho.

Member

timmywil replied Dec 9, 2014

I'm not certain about Android 2.3, tho.

@markelog

This comment has been minimized.

Show comment
Hide comment
@markelog

markelog Dec 9, 2014

Member

@timmywil should be good there

Member

markelog replied Dec 9, 2014

@timmywil should be good there

@timmywil

This comment has been minimized.

Show comment
Hide comment
@timmywil

timmywil Dec 9, 2014

Member

Ok, I'll take it out then.

Member

timmywil replied Dec 9, 2014

Ok, I'll take it out then.

Please sign in to comment.