Skip to main content

Bug Tracker

Side navigation

#13638 closed bug (notabug)

Opened March 20, 2013 11:29PM UTC

Closed March 20, 2013 11:45PM UTC

jQuery.event.trigger with open/write will call document methods inadvertantly

Reported by: alex.wallace Owned by: alex.wallace
Priority: undecided Milestone: None
Component: unfiled Version: 1.9.1
Keywords: Cc:
Blocked by: Blocking:
Description

Simple example:

http://jsfiddle.net/8UtFE/3/

Using $.event.trigger('write') or $.event.trigger('open') can result in calling document.open() or document.write() if the propagation is not stopped. I scanned the standard list of methods available on the document object and these are the only two that can be called with no arguments and result in adverse effects. The rest will at least throw an error, which is caught by the wrapping try/catch. But calling open() or write() will wipe the current document.

This affects 1.9.1, in latest Chrome, Firefox, IE9, and I would expect any other browser with open/write available on the document object. (all?) This issue is not present in earlier versions of jQuery.

Given that #6170 avoided the window object to avoid inadvertently calling global methods, this issue feels similar.

Attachments (0)
Change History (4)

Changed March 20, 2013 11:31PM UTC by alex.wallace comment:1

Changed March 20, 2013 11:37PM UTC by dmethvin comment:2

owner: → alex.wallace
status: newpending

Why are you triggering those events on the document?

The behavior of calling the method is documented in .trigger(), as well as the recommendation to use .triggerHandler() if you don't want it. http://api.jquery.com/trigger/

There is already a api.jquery.com docs ticket to tell people not to use simple names for custom events. https://github.com/jquery/api.jquery.com/issues/125

Changed March 20, 2013 11:41PM UTC by alex.wallace comment:3

status: pendingnew

This was turned up due to having a custom event named "open.flyout". triggerHandler is what we need for this use case- thanks. This can be closed out.

Changed March 20, 2013 11:45PM UTC by dmethvin comment:4

resolution: → notabug
status: newclosed

Will do. I also noticed that the report was about $.event.trigger() which is an undocumented interface and that particular usage (just an event with no target element) will break as of jQuery 1.9.