diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2021-09-30 16:00:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-30 16:00:24 +0200 |
| commit | de5398a6ad088dc006b46c6a870a2a053f4cd663 (patch) | |
| tree | 8141154c5f8f2bdc9fb92cf3ad58befa07a9a0dc /src/core/parseHTML.js | |
| parent | 1019074f7b1df96ee9d6409ada3dc0562046f6c7 (diff) | |
| download | jquery-de5398a6ad088dc006b46c6a870a2a053f4cd663.tar.gz jquery-de5398a6ad088dc006b46c6a870a2a053f4cd663.zip | |
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.
One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.
No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.
The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.
See https://web.dev/trusted-types/ for more information about TrustedHTML.
Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
Diffstat (limited to 'src/core/parseHTML.js')
| -rw-r--r-- | src/core/parseHTML.js | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/core/parseHTML.js b/src/core/parseHTML.js index 15278fa02..b522a5f7b 100644 --- a/src/core/parseHTML.js +++ b/src/core/parseHTML.js @@ -2,13 +2,14 @@ import jQuery from "../core.js"; import document from "../var/document.js"; import rsingleTag from "./var/rsingleTag.js"; import buildFragment from "../manipulation/buildFragment.js"; +import isObviousHtml from "./isObviousHtml.js"; -// Argument "data" should be string of html +// Argument "data" should be string of html or a TrustedHTML wrapper of obvious HTML // context (optional): If specified, the fragment will be created in this context, // defaults to document // keepScripts (optional): If true, will include scripts passed in the html string jQuery.parseHTML = function( data, context, keepScripts ) { - if ( typeof data !== "string" ) { + if ( typeof data !== "string" && !isObviousHtml( data + "" ) ) { return []; } if ( typeof context === "boolean" ) { |