Skip to main content

Bug Tracker

Side navigation

#14464 closed bug (notabug)

Opened October 18, 2013 09:11PM UTC

Closed October 19, 2013 02:12AM UTC

Last modified October 19, 2013 02:28AM UTC

jQuery.html() does not correctly parse input values with "/>"

Reported by: accounts@prettycode.org Owned by:
Priority: low Milestone: None
Component: manipulation Version: 2.0.3
Keywords: Cc:
Blocked by: Blocking:
Description

Examine the following code:

$(document.body).html('<select><option value="!/>">Test</option></select>');

The markup inserted into the DOM is this:

<select><option value="!></option>">Test</option></select>

See jsfiddle here:

http://jsfiddle.net/wEp5p/

There is no requirement in jQuery.html() documentation that says the string passed in MUST BE HTML-encoded.

However, in this example, jQuery.html() does not act correctly UNLESS it IS HTML-encoded.

Attachments (0)
Change History (2)

Changed October 19, 2013 02:12AM UTC by dmethvin comment:1

resolution: → notabug
status: newclosed

There are many things we don't state in the documentation because they seem rather obvious. http://www.w3.org/International/questions/qa-escapes#use

Changed October 19, 2013 02:28AM UTC by gibson042 comment:2

blockedby: → 14370
component: unfiledmanipulation
priority: undecidedlow

HTML5 throws in a monkey wrench, but in my opinion it's pointless to fix this without a more sophisticated regular expression, and I remain convinced that such an improvement does not offer enough value to justify its large size.

At most, I could see exposing pre-innerHTML replacement arguments as properties of jQuery for users to tweak if they want to accommodate such edge cases.