Side navigation
#13821 closed bug (wontfix)
Opened April 25, 2013 04:15PM UTC
Closed April 26, 2013 01:01AM UTC
Last modified April 26, 2013 01:58AM UTC
.html() corrupts attribute values containing things that look like self-closing tags
| Reported by: | roan.kattouw@gmail.com | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | None |
| Component: | unfiled | Version: | 1.9.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
h = '<span data-foo="foo<bar />baz">quux</span>';
d = $( '<div>' ).html( h );
d[0].innerHTML;
"<span data-foo="foo<bar ></span>baz">quux</span>"
This happens because rxhtmlTag mistakenly believes my <span> is self-closed, because it sees <span followed by />, and "helpfully" tries to close it for me.
In Chrome, this is slightly less of an issue than in Firefox. If you have a DOM that looks like the one in my example, Chrome's .innerHTML will have the < and > escaped as < and > (which doesn't match rxhtmlTag); while Firefox's .innerHTML will have them as literals (which does match rxhtmlTag).
I wonder why rxhtmlTag exists in the first place. It's not documented in the source code at all, and it breaks things. Is it because IE's behavior with self-closing tags?
Attachments (0)
Change History (4)
Changed April 25, 2013 04:22PM UTC by comment:1
Changed April 25, 2013 04:35PM UTC by comment:2
Replying to [comment:1 roan.kattouw@…]:
jsfiddle demonstrating the bug: http://jsfiddle.net/FZs9P/ (breaks in Firefox, works in Chrome)
URL that actually works: http://jsfiddle.net/FZs9P/2/
Changed April 26, 2013 01:01AM UTC by comment:3
| resolution: | → wontfix |
|---|---|
| status: | new → closed |
Amazingly enough, it ''is'' possible to fix this concisely. But I'll give you a hint of the mess we're likely to leave behind by doing so:
rxhtmlTag = new RegExp( "<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\\\\w:]+)(?:" +
jQuery.expr.match.ATTR.source.replace(/^.*?\\[|(\\\\\\\\)\\.|(?=\\\\)(\\d)|.]$/g, function( str, backslash, capture ) {
return +capture + 2 || backslash || "";
}) +
")*\\\\s*)/>",
"gi" )
Better to let sleeping dogs lie, methinks.
Changed April 26, 2013 01:58AM UTC by comment:4
As far as I can tell, this patch was put waaaaay back (before 2007) so that people could use invalid markup like <div id="haha" /> and after that much time I have no doubt it's widespread enough that we couldn't ever contemplate pulling it out.
jsfiddle demonstrating the bug: http://jsfiddle.net/FZs9P/ (breaks in Firefox, works in Chrome)