Side navigation
#13638 closed bug (notabug)
Opened March 20, 2013 11:29PM UTC
Closed March 20, 2013 11:45PM UTC
jQuery.event.trigger with open/write will call document methods inadvertantly
Reported by: | alex.wallace | Owned by: | alex.wallace |
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 1.9.1 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
Simple example:
Using $.event.trigger('write') or $.event.trigger('open') can result in calling document.open() or document.write() if the propagation is not stopped. I scanned the standard list of methods available on the document object and these are the only two that can be called with no arguments and result in adverse effects. The rest will at least throw an error, which is caught by the wrapping try/catch. But calling open() or write() will wipe the current document.
This affects 1.9.1, in latest Chrome, Firefox, IE9, and I would expect any other browser with open/write available on the document object. (all?) This issue is not present in earlier versions of jQuery.
Given that #6170 avoided the window object to avoid inadvertently calling global methods, this issue feels similar.
Attachments (0)
Change History (4)
Changed March 20, 2013 11:31PM UTC by comment:1
Changed March 20, 2013 11:37PM UTC by comment:2
owner: | → alex.wallace |
---|---|
status: | new → pending |
Why are you triggering those events on the document?
The behavior of calling the method is documented in .trigger()
, as well as the recommendation to use .triggerHandler()
if you don't want it. http://api.jquery.com/trigger/
There is already a api.jquery.com docs ticket to tell people not to use simple names for custom events. https://github.com/jquery/api.jquery.com/issues/125
Changed March 20, 2013 11:41PM UTC by comment:3
status: | pending → new |
---|
This was turned up due to having a custom event named "open.flyout". triggerHandler is what we need for this use case- thanks. This can be closed out.
Changed March 20, 2013 11:45PM UTC by comment:4
resolution: | → notabug |
---|---|
status: | new → closed |
Will do. I also noticed that the report was about $.event.trigger()
which is an undocumented interface and that particular usage (just an event with no target element) will break as of jQuery 1.9.
Patch with tests:
https://github.com/awallace/jquery/commit/e173d2391a243b04956dd83bf2f69432f9e6c2fa