Side navigation
#13921 closed bug (duplicate)
Opened May 22, 2013 04:42PM UTC
Closed May 22, 2013 08:56PM UTC
parseHTML doesn't prevent script execution
Reported by: | alisey | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 2.0.0 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
This line creates an alert dialog:
jQuery.parseHTML('<img src="//" onerror="alert(\\'Hey\\')">');
Fiddle: http://jsfiddle.net/qvrY9/
But maybe sanitization is not jQuery's job, in which case a warning could be added to the documentation.
Attachments (0)
Change History (1)
Changed May 22, 2013 08:56PM UTC by comment:1
resolution: | → duplicate |
---|---|
status: | new → closed |
Duplicate of #11974.There's no performant way to sanitize an arbitrary chunk of HTML, unfortunately. However, when code passes
false
(or defaults) to avoid running scripts it should also not assume that inline handlers or other scripty things like<meta refresh>
will work. Even though we don't have a good cross-platform way to defeat these things, we'd use them if they are available.There is an open docs ticket for this already (see #11974 and #12428) so I'll close this.