Bug Tracker

Ticket #10304 (closed bug: wontfix)

Opened 3 years ago

Last modified 3 years ago

"jQuery[0-9]*=*" being stripped on .html() call.

Reported by: Krinkle Owned by: Krinkle
Priority: low Milestone: 1.7
Component: core Version: 1.6.4rc1
Keywords: Cc:
Blocking: Blocked by:

Description (last modified by rwaldron) (diff)

jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >).

Example: $('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html()

Reproduction:  http://jsfiddle.net/yHCrw/

Change History

comment:1 Changed 3 years ago by rwaldron

  • Owner set to Krinkle
  • Status changed from new to pending
  • Description modified (diff)

what reason does your code have to need "jQuery" prefixed pseudo-guid string?

comment:2 Changed 3 years ago by Krinkle

  • Status changed from pending to new

The blog where I encountered this bug had a blogpost about the jQuery guid.

Right now it's not removing certain ones in particular but any occurrence anywhere in the innerHTML, not limited to where (ie. between <tag and >) nor limited to which numbers (depending on how jQuery calculates these numbers it may be very possible to limit it to only match guids higher than the one it started with).

Actually, I don't think it's needed to check the number it self, Just making it only match between <tag and ` will fix most if not all cases (since then it's an actual attribute for which it is fair to assume that it was added by jQuery).

But right now it's not checking for the attribute, it's checking for the string itself.

comment:3 Changed 3 years ago by rwaldron

So basically, someone drilled a hole in a bucket, then called the bucket company to report faulty buckets? Or like, reporting faulty retina scan hardware... because a gouged out eye is still scannable.

comment:4 Changed 3 years ago by rwaldron

  • Description modified (diff)

comment:5 Changed 3 years ago by rwaldron

  • Status changed from new to pending

comment:6 Changed 3 years ago by rwaldron

  • Priority changed from undecided to low
  • Resolution set to wontfix
  • Status changed from pending to closed
  • Component changed from unfiled to core
  • Milestone changed from None to 1.7

comment:7 Changed 3 years ago by Krinkle

If the use case were an element with an attribute that looks like jQuery[0-9] then I'd say, sure. That's invalid, wontfix since it's supposed to happen and people shouldn't use such attributes.

However that's not the case here, I'm talking about a mention of jQuery[0-9] in clear text of the elements contents (NOT the attributes). Like this bug ticket for example mentioning jQuery012="foo" here and calling .html() on this paragraph element would strip that, this a genuine bug in my opinion as jQuery has no interest in stripping those, it's only intending to strip the attributes that it added.

Note: See TracTickets for help on using tickets.