mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
de5398a6ad
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724
81 lines
1.5 KiB
JSON
81 lines
1.5 KiB
JSON
{
|
|
"root": true,
|
|
|
|
"extends": "../.eslintrc-browser.json",
|
|
|
|
"env": {
|
|
|
|
// In source the browser env is not enabled but unit tests rely on them
|
|
// too much and we don't run them in non-browser environments anyway.
|
|
"browser": true
|
|
},
|
|
|
|
"globals": {
|
|
"require": false,
|
|
"Promise": false,
|
|
"Symbol": false,
|
|
"trustedTypes": false,
|
|
"QUnit": false,
|
|
"ajaxTest": false,
|
|
"testIframe": false,
|
|
"createDashboardXML": false,
|
|
"createWithFriesXML": false,
|
|
"createXMLFragment": false,
|
|
"moduleTeardown": false,
|
|
"url": false,
|
|
"q": false,
|
|
"jQuery": true,
|
|
"sinon": true,
|
|
"amdDefined": true,
|
|
"fireNative": true,
|
|
"Globals": true,
|
|
"hasPHP": true,
|
|
"isLocal": true,
|
|
"supportjQuery": true,
|
|
"originaljQuery": true,
|
|
"$": true,
|
|
"original$": true,
|
|
"baseURL": true,
|
|
"externalHost": true
|
|
},
|
|
|
|
"rules": {
|
|
// See https://github.com/eslint/eslint/issues/2342
|
|
"no-unused-vars": "off",
|
|
|
|
// Too many errors
|
|
"max-len": "off",
|
|
"brace-style": "off",
|
|
"key-spacing": "off",
|
|
"camelcase": "off",
|
|
"one-var": "off",
|
|
"strict": "off",
|
|
|
|
// Not really too many - waiting for autofix features for these rules
|
|
"lines-around-comment": "off",
|
|
"dot-notation": "off"
|
|
},
|
|
|
|
"overrides": [
|
|
{
|
|
"files": [
|
|
"data/core/jquery-iterability-transpiled-es6.js",
|
|
"data/testinit-jsdom.js"
|
|
],
|
|
"parserOptions": {
|
|
"ecmaVersion": 2015
|
|
}
|
|
},
|
|
|
|
{
|
|
"files": [
|
|
"jquery.js",
|
|
"data/testinit.js"
|
|
],
|
|
"parserOptions": {
|
|
"ecmaVersion": 2020
|
|
}
|
|
}
|
|
]
|
|
}
|