Skip to main content

Bug Tracker

Side navigation

#13921 closed bug (duplicate)

Opened May 22, 2013 04:42PM UTC

Closed May 22, 2013 08:56PM UTC

parseHTML doesn't prevent script execution

Reported by: alisey Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 2.0.0
Keywords: Cc:
Blocked by: Blocking:
Description

This line creates an alert dialog:

jQuery.parseHTML('<img src="//" onerror="alert(\\'Hey\\')">');

Fiddle: http://jsfiddle.net/qvrY9/

But maybe sanitization is not jQuery's job, in which case a warning could be added to the documentation.

Attachments (0)
Change History (1)

Changed May 22, 2013 08:56PM UTC by dmethvin comment:1

resolution: → duplicate
status: newclosed

Duplicate of #11974.There's no performant way to sanitize an arbitrary chunk of HTML, unfortunately. However, when code passes false (or defaults) to avoid running scripts it should also not assume that inline handlers or other scripty things like <meta refresh> will work. Even though we don't have a good cross-platform way to defeat these things, we'd use them if they are available.

There is an open docs ticket for this already (see #11974 and #12428) so I'll close this.