mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
9c98e4e86e
Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com> |
||
|---|---|---|
| .. | ||
| data | ||
| integration | ||
| node_smoke_tests | ||
| promises_aplus_adapters | ||
| unit | ||
| .eslintrc.json | ||
| delegatetest.html | ||
| hovertest.html | ||
| index.html | ||
| jquery.js | ||
| karma.context.html | ||
| karma.debug.html | ||
| localfile.html | ||
| middleware-mockserver.js | ||
| networkerror.html | ||
| xhtml.php | ||