jquery/test/data/trusted-html.html
Michał Gołębiowski-Owczarek de5398a6ad
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.

One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.

No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.

The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.

See https://web.dev/trusted-types/ for more information about TrustedHTML.

Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
2021-09-30 16:00:24 +02:00

76 lines
2.1 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta charset=utf-8 />
<title>body</title>
</head>
<body>
<div id="qunit-fixture"></div>
<script src="../../dist/jquery.min.js"></script>
<script src="iframeTest.js"></script>
<script>
var i, input, elem, tags, policy,
results = [],
inputs = [
[ "<div></div>", "<div class='test'></div>", [ "div" ] ],
[ "<div></div>", "<div class='test'></div><span class='test'></span>",
[ "div", "span" ] ],
[ "<table></table>", "<td class='test'></td>", [ "td" ] ],
[ "<select></select>", "<option class='test'></option>", [ "option" ] ]
];
function runTests( messagePrefix, getHtmlWrapper ) {
for ( i = 0; i < inputs.length; i++ ) {
input = inputs[ i ];
elem = jQuery( getHtmlWrapper( input[ 0 ] ) );
elem.append( getHtmlWrapper( input[ 1 ] ) );
tags = elem.find( ".test" ).toArray().map( function( node ) {
return node.nodeName.toLowerCase();
} );
results.push( {
actual: tags,
expected: input[ 2 ],
message: messagePrefix + ": " + input[ 2 ].join( ", " )
} );
}
elem = jQuery( getHtmlWrapper( "<div></div>" ) );
elem.append( getHtmlWrapper( "text content" ) );
results.push( {
actual: elem.html(),
expected: "text content",
message: messagePrefix + ": text content properly appended"
} );
}
if ( typeof trustedTypes !== "undefined" ) {
policy = trustedTypes.createPolicy( "jquery-test-policy", {
createHTML: function( html ) {
return html;
}
} );
runTests( "TrustedHTML", function wrapInTrustedHtml( input ) {
return policy.createHTML( input );
} );
} else {
// No TrustedHTML support so let's at least run tests with object wrappers
// with a proper `toString` function. This also shows that jQuery support
// of TrustedHTML is generic and would work with similar APIs out of the box
// as well. Ideally, we'd run these tests in browsers with TrustedHTML support
// as well but due to the CSP TrustedHTML enforcement these tests would fail.
runTests( "Object wrapper", function( input ) {
return {
toString: function toString() {
return input;
}
};
} );
}
startIframeTest( results );
</script>
</body>
</html>