From 58c24608210c9a9a264a38746628ebc26823f59b Mon Sep 17 00:00:00 2001 From: Frederic Hemberger Date: Tue, 9 Dec 2014 15:13:46 -0500 Subject: Core: use document.implemenation.createHTMLDocument in jQuery.parseHTML Close gh-1505 --- src/core.js | 2 +- src/core/parseHTML.js | 8 ++++++-- src/core/support.js | 6 ++++++ test/unit/core.js | 18 ++++++++++++++++++ test/unit/support.js | 8 ++++++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 src/core/support.js diff --git a/src/core.js b/src/core.js index fa8436a01..dab633f9c 100644 --- a/src/core.js +++ b/src/core.js @@ -7,7 +7,7 @@ define([ "./var/class2type", "./var/toString", "./var/hasOwn", - "./var/support" + "./core/support" ], function( arr, slice, concat, push, indexOf, class2type, toString, hasOwn, support ) { var diff --git a/src/core/parseHTML.js b/src/core/parseHTML.js index 808d60e3d..54016a4c1 100644 --- a/src/core/parseHTML.js +++ b/src/core/parseHTML.js @@ -2,7 +2,7 @@ define([ "../core", "./var/rsingleTag", "../manipulation" // buildFragment -], function( jQuery, rsingleTag ) { +], function( jQuery, rsingleTag, support ) { // data: string of html // context (optional): If specified, the fragment will be created in this context, @@ -16,7 +16,11 @@ jQuery.parseHTML = function( data, context, keepScripts ) { keepScripts = context; context = false; } - context = context || document; + // document.implementation stops scripts or inline event handlers from + // being executed immediately + context = context || ( support.createHTMLDocument ? + document.implementation.createHTMLDocument() : + document ); var parsed = rsingleTag.exec( data ), scripts = !keepScripts && []; diff --git a/src/core/support.js b/src/core/support.js new file mode 100644 index 000000000..fe3d6c218 --- /dev/null +++ b/src/core/support.js @@ -0,0 +1,6 @@ +define([ + "../var/support" +], function( jQuery, support ) { + // window.document is used here as it's before the sandboxed document + support.createHTMLDocument = !!window.document.implementation.createHTMLDocument; +}); diff --git a/test/unit/core.js b/test/unit/core.js index 66c02ac57..783a7462e 100644 --- a/test/unit/core.js +++ b/test/unit/core.js @@ -1367,6 +1367,24 @@ test("jQuery.parseHTML", function() { ok( jQuery.parseHTML("<#if>

This is a test.

<#/if>") || true, "Garbage input should not cause error" ); }); +// This XSS test is optional, as it will only pass when `document.implementation.createHTMLDocument` +// is implemented. This might not be the case for older Android browsers (<= 2.x). +if ( document.implementation.createHTMLDocument ) { + asyncTest("jQuery.parseHTML", function() { + expect ( 1 ); + + Globals.register("parseHTMLError"); + + jQuery.globalEval("parseHTMLError = false;"); + jQuery.parseHTML( "" ); + + window.setTimeout(function() { + start(); + equal( window.parseHTMLError, false, "onerror eventhandler has not been called." ); + }, 2000); + }); +} + test("jQuery.parseJSON", function() { expect( 20 ); diff --git a/test/unit/support.js b/test/unit/support.js index 11f15a33b..bed2c0414 100644 --- a/test/unit/support.js +++ b/test/unit/support.js @@ -61,6 +61,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": true, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": true, @@ -77,6 +78,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": false, "cors": true, + "createHTMLDocument": true, "focusinBubbles": true, "noCloneChecked": false, "optDisabled": true, @@ -93,6 +95,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": false, "cors": false, + "createHTMLDocument": true, "focusinBubbles": true, "noCloneChecked": false, "optDisabled": true, @@ -109,6 +112,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": true, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": true, @@ -125,6 +129,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": true, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": true, @@ -141,6 +146,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": true, "clearCloneStyle": true, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": true, @@ -157,6 +163,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": false, "clearCloneStyle": true, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": true, @@ -173,6 +180,7 @@ testIframeWithCallback( "Check CSP (https://developer.mozilla.org/en-US/docs/Sec "checkOn": false, "clearCloneStyle": false, "cors": true, + "createHTMLDocument": true, "focusinBubbles": false, "noCloneChecked": true, "optDisabled": false, -- cgit v1.2.3