mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
9c98e4e86e
Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com> |
||
|---|---|---|
| .. | ||
| ajax.js | ||
| animation.js | ||
| attributes.js | ||
| basic.js | ||
| callbacks.js | ||
| core.js | ||
| css.js | ||
| data.js | ||
| deferred.js | ||
| deprecated.js | ||
| dimensions.js | ||
| effects.js | ||
| event.js | ||
| exports.js | ||
| manipulation.js | ||
| offset.js | ||
| queue.js | ||
| ready.js | ||
| selector.js | ||
| serialize.js | ||
| support.js | ||
| traversing.js | ||
| tween.js | ||
| wrap.js | ||