diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-06-10 16:13:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-10 16:13:22 +0200 |
| commit | 9c98e4e86eda857ee063bc48adbc1a11bb5506ee (patch) | |
| tree | 75c2dcd6e4be2907f48e50563785a702fd9db230 /src/queue | |
| parent | 7a6fae6a7e51ae30a9f3177e8639fbf523ed0915 (diff) | |
| download | jquery-9c98e4e86eda857ee063bc48adbc1a11bb5506ee.tar.gz jquery-9c98e4e86eda857ee063bc48adbc1a11bb5506ee.zip | |
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Diffstat (limited to 'src/queue')
0 files changed, 0 insertions, 0 deletions