mirror of
https://github.com/jquery/jquery.git
synced 2025-01-10 18:24:24 +00:00
9c98e4e86e
Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com> |
||
---|---|---|
.. | ||
data | ||
integration | ||
node_smoke_tests | ||
promises_aplus_adapters | ||
unit | ||
.eslintrc.json | ||
delegatetest.html | ||
hovertest.html | ||
index.html | ||
jquery.js | ||
karma.context.html | ||
karma.debug.html | ||
localfile.html | ||
middleware-mockserver.js | ||
networkerror.html | ||
xhtml.php |