Skip to main content

Bug Tracker

Side navigation

#13074 closed bug (notabug)

Opened December 18, 2012 04:29PM UTC

Closed December 18, 2012 05:06PM UTC

Last modified December 18, 2012 05:34PM UTC

html("<div onclick='xyz'>x</div>") call with event on server Internet Explorer causes security error

Reported by: jiongmai@gmail.com Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.8.3
Keywords: Cc:
Blocked by: Blocking:
Description

When I run $("#Item").html("<div onclick='xyz'>x</div>") it causes a popup error

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration.

about:blank

It offers to add about:blank to the Trusted sites zone. If added, the error no longer appears.

This error does not cause the script to fail. The script resumes and works perfectly, and the error doesn't appear even if ran again until next page reload.

I have tested this on a server 2003 IE8 and server 2008 IE9 and they both show this behavior. This appears to affect older versions of jquery as well.

Attachments (0)
Change History (5)

Changed December 18, 2012 04:57PM UTC by jiongmai@gmail.com comment:1

Here is an example code -- http://jsfiddle.net/2BBq6/

Changed December 18, 2012 05:06PM UTC by dmethvin comment:2

resolution: → notabug
status: newclosed

Hey there little <div>, what are you doing in a <tbody>? You are NOT supposed to be there! And what about you <tbody>, you aren't even in a <table>! Go find a <table>, silly <tbody>.

http://jsfiddle.net/2BBq6/1/

http://www.w3.org/TR/html401/struct/tables.html#h-11.2.3

Changed December 18, 2012 05:23PM UTC by jiongmai@gmail.com comment:3

Since you put it that way, updated code to be a bit more compliant. Still a bug.

http://jsfiddle.net/2BBq6/2/

Changed December 18, 2012 05:30PM UTC by dmethvin comment:4

My example worked fine in both IE8 and IE9. Please take it to the forum and debug it there.

Changed December 18, 2012 05:34PM UTC by dmethvin comment:5

Also I should add that in general, inline event handlers are on jQuery's wontfix list since they are a security risk and extremely bad practice.