mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
de5398a6ad
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724 |
||
|---|---|---|
| .. | ||
| data | ||
| integration | ||
| node_smoke_tests | ||
| promises_aplus_adapters | ||
| unit | ||
| .eslintrc.json | ||
| delegatetest.html | ||
| hovertest.html | ||
| index.html | ||
| jquery.js | ||
| karma.context.html | ||
| karma.debug.html | ||
| localfile.html | ||
| middleware-mockserver.js | ||
| networkerror.html | ||
| xhtml.php | ||