Side navigation
#11290 closed bug (fixed)
Opened February 06, 2012 06:08PM UTC
Closed December 13, 2012 08:31PM UTC
selector interpreted as HTML
| Reported by: | gibson042 | Owned by: | timmywil |
|---|---|---|---|
| Priority: | blocker | Milestone: | 1.9 |
| Component: | core | Version: | 1.7.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
#9521 and #6429 and probably others identify specific instances of a general problem: jQuery( strInput ) cannot reliably differentiate selectors from HTML.
Looking for "<" past the first character creates vulnerabilities and confusing behavior on complex input.
quickExpr should be abandoned in favor of a simpler "''parse as HTML if and only if there is a leading less-than''" rule, with intentional parsing handled by the jQuery( "<div/>" ).html( strHtml ).contents() pattern.
Attachments (0)
Change History (19)
Changed February 06, 2012 06:16PM UTC by comment:1
Changed February 07, 2012 10:47PM UTC by comment:2
| component: | unfiled → core |
|---|---|
| milestone: | None → 1.8 |
| priority: | undecided → blocker |
| status: | new → open |
Changed June 04, 2012 05:34PM UTC by comment:3
| owner: | → timmywil |
|---|---|
| status: | open → assigned |
Changed June 11, 2012 09:43PM UTC by comment:4
As http://bugs.jquery.com/ticket/9521#comment:24 points out, a simple "starts with <" rule will break some unit tests and is likely to cause issues in outside code. However, I think we should be willing to do that here for at least some cases.
The only issue I'm on the fence about is whether to trim leading spaces. I can imagine situations where people may have templates that end up with leading spaces, but then again it seems expensive to always pass the string through a regexp to remove them for the handful of sloppy cases that could be resolved by using $.trim() externally.
If people *want* to parse arbitrary complex HTML and they know it's HTML, we should encourage them to use the new $.parseHTML method per #11617. It would be best if $(html) didn't execute scripts for example.
Changed June 11, 2012 10:18PM UTC by comment:5
Given that we'll be providing jQuery.parseHTML for explicit HTML parsing, I'd like to be as strict as possible in jQuery.
Changed June 14, 2012 11:41PM UTC by comment:6
It is possible to adjust the regex to avoid matching html when it is within brackets, parens, or quotes, as well as ignoring any escaped html characters. This would fix the case presented in this ticket as well as jQuery mobile's, @jdalton's and @mathias' issue in #9521. The other issue in #9521 is that there is a xss vulnerability when unexpected input is passed to jQuery(). I think it is safe to say that is much lower priority, but that would also be fixed by specifying that if some selector contains characters normally recognized as html, they should be escaped. This would resolve all of the issues and be backwards-compatible, unless I've missed a case.
Changed June 19, 2012 03:33PM UTC by comment:7
I've implemented what I meant and adjusted the regex so we maintain backwards-compatibility as well as restrict the unexpected behaviors from occurring. This will fix most issues. Patch incoming.
Changed June 19, 2012 03:35PM UTC by comment:8
| resolution: | → fixed |
|---|---|
| status: | assigned → closed |
When detecting html in init, ignore html characters within quotes, brackets, and parens as well as escaped characters which are valid in selectors. Fixes #11290.
Changeset: 7692ae419d4c19bd06a0ba01fc2af8d21035873c
Changed June 19, 2012 06:37PM UTC by comment:9
| resolution: | fixed |
|---|---|
| status: | closed → reopened |
Now it's gone too far the other way... http://jsfiddle.net/HCa89/1/
Changed June 20, 2012 03:18PM UTC by comment:10
Having discussed it with gibson and Dave, we're adopting a different strategy (the starts-with rule). While ignoring html within quotes, brackets, and parens could have worked, I agree it would have come at too great a cost. Commit incoming.
Changed June 20, 2012 03:18PM UTC by comment:11
| status: | reopened → assigned |
|---|
Changed June 20, 2012 03:19PM UTC by comment:12
| resolution: | → fixed |
|---|---|
| status: | assigned → closed |
Adjust jQuery('html') detection to only match when html starts with '<' (counting space characters). Fixes #11290
Changeset: 239fc86b01d52fd9df6d1963027ed37b4f6251fc
Changed June 21, 2012 05:41PM UTC by comment:13
Revert "Adjust jQuery('html') detection to only match when html starts with '<' (counting space characters). Fixes #11290"
This reverts commit 239fc86b01d52fd9df6d1963027ed37b4f6251fc.
The consensus is that this would change behavior too abruptly. We will warn in 1.8 and do this in 1.9.
Changeset: c20e031058c6210a1ed753f75af80588f076d60d
Changed November 02, 2012 01:44AM UTC by comment:14
| milestone: | 1.8 → 1.9 |
|---|
Changed November 02, 2012 01:44AM UTC by comment:15
| resolution: | fixed |
|---|---|
| status: | closed → reopened |
Changed November 02, 2012 01:44AM UTC by comment:16
| status: | reopened → open |
|---|
Changed November 02, 2012 01:45AM UTC by comment:17
#12531 is a duplicate of this ticket.
Changed December 10, 2012 05:15PM UTC by comment:18
Going into 1.9; the compat plugin will restore the old behavior.
Changed December 13, 2012 08:31PM UTC by comment:19
| resolution: | → fixed |
|---|---|
| status: | open → closed |
Adjust jQuery('html') detection to only match when html starts with '<' (not counting space characters). Fixes #11290.
Changeset: 05531fc4080ae24070930d15ae0cea7ae056457d
Also (for reference), CSS lexical tokenization:
string {string1}|{string2} string1 \\"([^\\n\\r\\f\\\\"]|\\\\{nl}|{escape})*\\" string2 \\'([^\\n\\r\\f\\\\']|\\\\{nl}|{escape})*\\' escape {unicode}|\\\\[^\\n\\r\\f0-9a-f] unicode \\\\[0-9a-f]{1,6}(\\r\\n|[ \\n\\r\\t\\f])?