diff options
author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2021-11-01 18:10:23 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-01 18:10:23 +0100 |
commit | 4250b628783d7bfa92ec6c5550c6e4b22fab6034 (patch) | |
tree | 10fbd9709b4cc929b92e3f394332667846aed330 /src/attributes | |
parent | 4fd6912bfd8fffbfabc98a9b0789d28f10af0914 (diff) | |
download | jquery-4250b628783d7bfa92ec6c5550c6e4b22fab6034.tar.gz jquery-4250b628783d7bfa92ec6c5550c6e4b22fab6034.zip |
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.
Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.
Fixes gh-4948
Closes gh-4949
Diffstat (limited to 'src/attributes')
-rw-r--r-- | src/attributes/attr.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/attributes/attr.js b/src/attributes/attr.js index 2773a383c..d6d497735 100644 --- a/src/attributes/attr.js +++ b/src/attributes/attr.js @@ -50,7 +50,7 @@ jQuery.extend( { return ret; } - elem.setAttribute( name, value + "" ); + elem.setAttribute( name, value ); return value; } |