mirror of
https://github.com/jquery/jquery.git
synced 2024-11-23 02:54:22 +00:00
de5398a6ad
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724 |
||
|---|---|---|
| .. | ||
| ajax.js | ||
| animation.js | ||
| attributes.js | ||
| basic.js | ||
| callbacks.js | ||
| core.js | ||
| css.js | ||
| data.js | ||
| deferred.js | ||
| deprecated.js | ||
| dimensions.js | ||
| effects.js | ||
| event.js | ||
| exports.js | ||
| manipulation.js | ||
| offset.js | ||
| queue.js | ||
| ready.js | ||
| selector.js | ||
| serialize.js | ||
| support.js | ||
| traversing.js | ||
| tween.js | ||
| wrap.js | ||