import fnToString from "./var/fnToString.js";
import ObjectFunctionString from "./var/ObjectFunctionString.js";
import support from "./var/support.js";
-import isWindow from "./var/isWindow.js";
+import isArrayLike from "./core/isArrayLike.js";
import DOMEval from "./core/DOMEval.js";
-import toType from "./core/toType.js";
var version = "@VERSION",
class2type[ "[object " + name + "]" ] = name.toLowerCase();
} );
-function isArrayLike( obj ) {
-
- var length = !!obj && obj.length,
- type = toType( obj );
-
- if ( typeof obj === "function" || isWindow( obj ) ) {
- return false;
- }
-
- return type === "array" || length === 0 ||
- typeof length === "number" && length > 0 && ( length - 1 ) in obj;
-}
-
export default jQuery;
import jQuery from "../core.js";
import document from "../var/document.js";
import rsingleTag from "./var/rsingleTag.js";
+import isObviousHtml from "./isObviousHtml.js";
import "../traversing/findFilter.js";
// so migrate can support jQuery.sub (gh-2101)
root = root || rootjQuery;
- // Handle HTML strings
- if ( typeof selector === "string" ) {
- if ( selector[ 0 ] === "<" &&
- selector[ selector.length - 1 ] === ">" &&
- selector.length >= 3 ) {
+ // HANDLE: $(DOMElement)
+ if ( selector.nodeType ) {
+ this[ 0 ] = selector;
+ this.length = 1;
+ return this;
+
+ // HANDLE: $(function)
+ // Shortcut for document ready
+ } else if ( typeof selector === "function" ) {
+ return root.ready !== undefined ?
+ root.ready( selector ) :
+
+ // Execute immediately if ready is not present
+ selector( jQuery );
+
+ } else {
- // Assume that strings that start and end with <> are HTML and skip the regex check
+ // Handle obvious HTML strings
+ match = selector + "";
+ if ( isObviousHtml( match ) ) {
+
+ // Assume that strings that start and end with <> are HTML and skip
+ // the regex check. This also handles browser-supported HTML wrappers
+ // like TrustedHTML.
match = [ null, selector, null ];
- } else {
+ // Handle HTML strings or selectors
+ } else if ( typeof selector === "string" ) {
match = rquickExpr.exec( selector );
+ } else {
+ return jQuery.makeArray( selector, this );
}
// Match html or make sure no context is specified for #id
+ // Note: match[1] may be a string or a TrustedHTML wrapper
if ( match && ( match[ 1 ] || !context ) ) {
// HANDLE: $(html) -> $(array)
return this;
}
- // HANDLE: $(expr, $(...))
+ // HANDLE: $(expr) & $(expr, $(...))
} else if ( !context || context.jquery ) {
return ( context || root ).find( selector );
} else {
return this.constructor( context ).find( selector );
}
-
- // HANDLE: $(DOMElement)
- } else if ( selector.nodeType ) {
- this[ 0 ] = selector;
- this.length = 1;
- return this;
-
- // HANDLE: $(function)
- // Shortcut for document ready
- } else if ( typeof selector === "function" ) {
- return root.ready !== undefined ?
- root.ready( selector ) :
-
- // Execute immediately if ready is not present
- selector( jQuery );
}
- return jQuery.makeArray( selector, this );
};
// Give the init function the jQuery prototype for later instantiation
--- /dev/null
+import toType from "./toType.js";
+import isWindow from "../var/isWindow.js";
+
+function isArrayLike( obj ) {
+
+ var length = !!obj && obj.length,
+ type = toType( obj );
+
+ if ( typeof obj === "function" || isWindow( obj ) ) {
+ return false;
+ }
+
+ return type === "array" || length === 0 ||
+ typeof length === "number" && length > 0 && ( length - 1 ) in obj;
+}
+
+export default isArrayLike;
--- /dev/null
+function isObviousHtml( input ) {
+ return input[ 0 ] === "<" &&
+ input[ input.length - 1 ] === ">" &&
+ input.length >= 3;
+}
+
+export default isObviousHtml;
import document from "../var/document.js";
import rsingleTag from "./var/rsingleTag.js";
import buildFragment from "../manipulation/buildFragment.js";
+import isObviousHtml from "./isObviousHtml.js";
-// Argument "data" should be string of html
+// Argument "data" should be string of html or a TrustedHTML wrapper of obvious HTML
// context (optional): If specified, the fragment will be created in this context,
// defaults to document
// keepScripts (optional): If true, will include scripts passed in the html string
jQuery.parseHTML = function( data, context, keepScripts ) {
- if ( typeof data !== "string" ) {
+ if ( typeof data !== "string" && !isObviousHtml( data + "" ) ) {
return [];
}
if ( typeof context === "boolean" ) {
import wrapMap from "./wrapMap.js";
import getAll from "./getAll.js";
import setGlobalEval from "./setGlobalEval.js";
+import isArrayLike from "../core/isArrayLike.js";
var rhtml = /<|&#?\w+;/;
if ( elem || elem === 0 ) {
// Add nodes directly
- if ( toType( elem ) === "object" ) {
+ if ( toType( elem ) === "object" && ( elem.nodeType || isArrayLike( elem ) ) ) {
jQuery.merge( nodes, elem.nodeType ? [ elem ] : elem );
// Convert non-html into a text node
"require": false,
"Promise": false,
"Symbol": false,
+ "trustedTypes": false,
"QUnit": false,
"ajaxTest": false,
"testIframe": false,
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>CSP Test Page</title>
- <script src="../jquery.js"></script>
+ <script src="../../dist/jquery.min.js"></script>
<script src="iframeTest.js"></script>
<script src="support/csp.js"></script>
<script src="support/getComputedSupport.js"></script>
}
protected function cspFrame( $req ) {
- header( "Content-Security-Policy: default-src 'self'; report-uri ./mock.php?action=cspLog" );
+ header( "Content-Security-Policy: default-src 'self'; require-trusted-types-for 'script'; report-uri ./mock.php?action=cspLog" );
header( 'Content-type: text/html' );
echo file_get_contents( __DIR__ . '/csp.include.html' );
}
}
protected function cspAjaxScript( $req ) {
- header( "Content-Security-Policy: script-src 'self'; report-uri /base/test/data/mock.php?action=cspLog" );
+ header( "Content-Security-Policy: script-src 'self'; report-uri ./mock.php?action=cspLog" );
header( 'Content-type: text/html' );
echo file_get_contents( __DIR__ . '/csp-ajax-script.html' );
}
file_put_contents( $this->cspFile, '' );
}
+ protected function trustedHtml( $req ) {
+ header( "Content-Security-Policy: require-trusted-types-for 'script'; report-uri ./mock.php?action=cspLog" );
+ header( 'Content-type: text/html' );
+ echo file_get_contents( __DIR__ . '/trusted-html.html' );
+ }
+
protected function errorWithScript( $req ) {
header( 'HTTP/1.0 404 Not Found' );
if ( isset( $req->query['withScriptContentType'] ) ) {
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset=utf-8 />
+ <title>body</title>
+</head>
+<body>
+<div id="qunit-fixture"></div>
+<script src="../../dist/jquery.min.js"></script>
+<script src="iframeTest.js"></script>
+<script>
+ var i, input, elem, tags, policy,
+ results = [],
+ inputs = [
+ [ "<div></div>", "<div class='test'></div>", [ "div" ] ],
+ [ "<div></div>", "<div class='test'></div><span class='test'></span>",
+ [ "div", "span" ] ],
+ [ "<table></table>", "<td class='test'></td>", [ "td" ] ],
+ [ "<select></select>", "<option class='test'></option>", [ "option" ] ]
+ ];
+
+ function runTests( messagePrefix, getHtmlWrapper ) {
+ for ( i = 0; i < inputs.length; i++ ) {
+ input = inputs[ i ];
+ elem = jQuery( getHtmlWrapper( input[ 0 ] ) );
+ elem.append( getHtmlWrapper( input[ 1 ] ) );
+ tags = elem.find( ".test" ).toArray().map( function( node ) {
+ return node.nodeName.toLowerCase();
+ } );
+ results.push( {
+ actual: tags,
+ expected: input[ 2 ],
+ message: messagePrefix + ": " + input[ 2 ].join( ", " )
+ } );
+ }
+
+ elem = jQuery( getHtmlWrapper( "<div></div>" ) );
+ elem.append( getHtmlWrapper( "text content" ) );
+ results.push( {
+ actual: elem.html(),
+ expected: "text content",
+ message: messagePrefix + ": text content properly appended"
+ } );
+ }
+
+ if ( typeof trustedTypes !== "undefined" ) {
+ policy = trustedTypes.createPolicy( "jquery-test-policy", {
+ createHTML: function( html ) {
+ return html;
+ }
+ } );
+
+ runTests( "TrustedHTML", function wrapInTrustedHtml( input ) {
+ return policy.createHTML( input );
+ } );
+ } else {
+
+ // No TrustedHTML support so let's at least run tests with object wrappers
+ // with a proper `toString` function. This also shows that jQuery support
+ // of TrustedHTML is generic and would work with similar APIs out of the box
+ // as well. Ideally, we'd run these tests in browsers with TrustedHTML support
+ // as well but due to the CSP TrustedHTML enforcement these tests would fail.
+ runTests( "Object wrapper", function( input ) {
+ return {
+ toString: function toString() {
+ return input;
+ }
+ };
+ } );
+ }
+
+ startIframeTest( results );
+</script>
+</body>
+</html>
cspFrame: function( req, resp ) {
resp.writeHead( 200, {
"Content-Type": "text/html",
- "Content-Security-Policy": "default-src 'self'; report-uri /base/test/data/mock.php?action=cspLog"
+ "Content-Security-Policy": "default-src 'self'; require-trusted-types-for 'script'; report-uri /base/test/data/mock.php?action=cspLog"
} );
var body = fs.readFileSync( __dirname + "/data/csp.include.html" ).toString();
resp.end( body );
resp.writeHead( 200 );
resp.end();
},
+ trustedHtml: function( req, resp ) {
+ resp.writeHead( 200, {
+ "Content-Type": "text/html",
+ "Content-Security-Policy": "require-trusted-types-for 'script'; report-uri /base/test/data/mock.php?action=cspLog"
+ } );
+ var body = fs.readFileSync( __dirname + "/data/trusted-html.html" ).toString();
+ resp.end( body );
+ },
errorWithScript: function( req, resp ) {
if ( req.query.withScriptContentType ) {
resp.writeHead( 404, { "Content-Type": "application/javascript" } );
assert.strictEqual( elem[ 0 ].nodeName.toLowerCase(), "td", "First element is td" );
assert.strictEqual( elem[ 1 ].nodeName.toLowerCase(), "td", "Second element is td" );
} );
+
+// Test trustedTypes support in browsers where they're supported (currently Chrome 83+).
+// Browsers with no TrustedHTML support still run tests on object wrappers with
+// a proper `toString` function.
+testIframe(
+ "Basic TrustedHTML support (gh-4409)",
+ "mock.php?action=trustedHtml",
+ function( assert, jQuery, window, document, test ) {
+
+ assert.expect( 5 );
+
+ test.forEach( function( result ) {
+ assert.deepEqual( result.actual, result.expected, result.message );
+ } );
+ }
+);
projects / jquery.git / commitdiff