Skip to main content

Bug Tracker

Side navigation

#10304 closed bug (wontfix)

Opened September 18, 2011 03:33PM UTC

Closed September 19, 2011 04:20PM UTC

Last modified September 19, 2011 04:42PM UTC

"jQuery[0-9]*=*" being stripped on .html() call.

Reported by: Krinkle Owned by: Krinkle
Priority: low Milestone: 1.7
Component: core Version: 1.6.4rc1
Keywords: Cc:
Blocked by: Blocking:
Description

jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >).

Example:

$('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html()

Reproduction: http://jsfiddle.net/yHCrw/

Attachments (0)
Change History (7)

Changed September 18, 2011 06:47PM UTC by rwaldron comment:1

description: jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >). \ \ Example: \ $('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html() \ \ Reproduction: http://jsfiddle.net/yHCrw/ \ jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >). \ \ Example: \ $('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html() \ \ Reproduction: \
owner: → Krinkle
status: newpending

what reason does your code have to need "jQuery" prefixed pseudo-guid string?

Changed September 18, 2011 07:37PM UTC by Krinkle comment:2

status: pendingnew

The blog where I encountered this bug had a blogpost about the jQuery guid.

Right now it's not removing certain ones in particular but any occurrence anywhere in the innerHTML, not limited to where (ie. between <tag and >) nor limited to which numbers (depending on how jQuery calculates these numbers it may be very possible to limit it to only match guids higher than the one it started with).

Actually, I don't think it's needed to check the number it self, Just making it only match between <tag and ` will fix most if not all cases (since then it's an actual attribute for which it is fair to assume that it was added by jQuery).

But right now it's not checking for the attribute, it's checking for the string itself.

Changed September 18, 2011 08:07PM UTC by rwaldron comment:3

So basically, someone drilled a hole in a bucket, then called the bucket company to report faulty buckets? Or like, reporting faulty retina scan hardware... because a gouged out eye is still scannable.

Changed September 19, 2011 01:12AM UTC by rwaldron comment:4

description: jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >). \ \ Example: \ $('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html() \ \ Reproduction: \ jQuery strips that. Although it makes sense in a way, right now it's stripping them from just plain text, which is wrong. It should only remove them in places where they are actual attributes (ie. within < and >). \ \ Example: \ $('<div>Lorem ipsum do foo and see <code> jQuery164040582746267318726="1"</code> foo bar</div>').html() \ \ Reproduction: http://jsfiddle.net/yHCrw/

Changed September 19, 2011 04:05PM UTC by rwaldron comment:5

status: newpending

Changed September 19, 2011 04:20PM UTC by rwaldron comment:6

component: unfiledcore
milestone: None1.7
priority: undecidedlow
resolution: → wontfix
status: pendingclosed

Changed September 19, 2011 04:42PM UTC by Krinkle comment:7

If the use case were an element with an attribute that looks like jQuery[0-9] then I'd say, sure. That's invalid, wontfix since it's supposed to happen and people shouldn't use such attributes.

However that's not the case here, I'm talking about a mention of jQuery[0-9] in clear text of the elements contents (NOT the attributes). Like this bug ticket for example mentioning jQuery012="foo" here and calling .html() on this paragraph element would strip that, this a genuine bug in my opinion as jQuery has no interest in stripping those, it's only intending to strip the attributes that it added.