aboutsummaryrefslogtreecommitdiffstats
path: root/src/attributes
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2021-11-01 18:10:23 +0100
committerGitHub <noreply@github.com>2021-11-01 18:10:23 +0100
commit4250b628783d7bfa92ec6c5550c6e4b22fab6034 (patch)
tree10fbd9709b4cc929b92e3f394332667846aed330 /src/attributes
parent4fd6912bfd8fffbfabc98a9b0789d28f10af0914 (diff)
downloadjquery-4250b628783d7bfa92ec6c5550c6e4b22fab6034.tar.gz
jquery-4250b628783d7bfa92ec6c5550c6e4b22fab6034.zip
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breaks trusted types enforcement when setting a script `src` attribute. Note that this doesn't mean script execution works. Since jQuery disables all scripts by changing their type and then executes them by creating fresh script tags with proper `src` & possibly other attributes, this unwraps any trusted `src` wrappers, making the script not execute under strict CSP settings. We might try to fix it in the future in a separate change. Fixes gh-4948 Closes gh-4949
Diffstat (limited to 'src/attributes')
-rw-r--r--src/attributes/attr.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/attributes/attr.js b/src/attributes/attr.js
index 2773a383c..d6d497735 100644
--- a/src/attributes/attr.js
+++ b/src/attributes/attr.js
@@ -50,7 +50,7 @@ jQuery.extend( {
return ret;
}
- elem.setAttribute( name, value + "" );
+ elem.setAttribute( name, value );
return value;
}