Side navigation
#14464 closed bug (notabug)
Opened October 18, 2013 09:11PM UTC
Closed October 19, 2013 02:12AM UTC
Last modified October 19, 2013 02:28AM UTC
jQuery.html() does not correctly parse input values with "/>"
| Reported by: | accounts@prettycode.org | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | manipulation | Version: | 2.0.3 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Examine the following code:
$(document.body).html('<select><option value="!/>">Test</option></select>');
The markup inserted into the DOM is this:
<select><option value="!></option>">Test</option></select>
See jsfiddle here:
There is no requirement in jQuery.html() documentation that says the string passed in MUST BE HTML-encoded.
However, in this example, jQuery.html() does not act correctly UNLESS it IS HTML-encoded.
Attachments (0)
Change History (2)
Changed October 19, 2013 02:12AM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
Changed October 19, 2013 02:28AM UTC by comment:2
| blockedby: | → 14370 |
|---|---|
| component: | unfiled → manipulation |
| priority: | undecided → low |
HTML5 throws in a monkey wrench, but in my opinion it's pointless to fix this without a more sophisticated regular expression, and I remain convinced that such an improvement does not offer enough value to justify its large size.
At most, I could see exposing pre-innerHTML replacement arguments as properties of jQuery for users to tweak if they want to accommodate such edge cases.
There are many things we don't state in the documentation because they seem rather obvious. http://www.w3.org/International/questions/qa-escapes#use