From 4250b628783d7bfa92ec6c5550c6e4b22fab6034 Mon Sep 17 00:00:00 2001
From: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Date: Mon, 1 Nov 2021 18:10:23 +0100
Subject: Attributes: Don't stringify attributes in the setter

Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.

Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.

Fixes gh-4948
Closes gh-4949
---
 src/attributes/attr.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/attributes')

diff --git a/src/attributes/attr.js b/src/attributes/attr.js
index 2773a383c..d6d497735 100644
--- a/src/attributes/attr.js
+++ b/src/attributes/attr.js
@@ -50,7 +50,7 @@ jQuery.extend( {
 				return ret;
 			}
 
-			elem.setAttribute( name, value + "" );
+			elem.setAttribute( name, value );
 			return value;
 		}
 
-- 
cgit v1.2.3