Side navigation
#1734 closed bug (fixed)
Opened September 26, 2007 12:13PM UTC
Closed July 11, 2010 07:00PM UTC
html(val) in IE6/7: inserted content has allways security zone "internet"
Reported by: | daniel | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 1.2.2 |
Component: | core | Version: | 1.2.1 |
Keywords: | Cc: | daniel.wiesner@itc-halle.de | |
Blocked by: | Blocking: |
Description
When javascript is disabled for the zone "internet" and the following page is started from a zone with javascript enabled (eg. local filesystem or from a domain marked as trusted site) the first links produced by html(val) dosn't work. The second works.
This is a critial bug. In some intranets it isn't possible to enable javascript for the zone "internet".
<!DOCTYPE html PUBLIC "-W3CDTD XHTML 1.0 TransitionalEN"
"http:www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Unbenannte Seite</title>
<script type="text/javascript" src="js/jquery-1.2.1.js"></script>
<script>
$(document).ready(function(){
$("#test1").html("<a onclick=\\"alert('html(val)')\\" href=\\"#\\">html(val)</a>");
document.getElementById("test2").innerHTML="<a onclick=\\"alert('innerHTML')\\" href=\\"#\\">innerHTML</a>";
});
</script>
</head>
<body>
<div id="test1">
</div>
<div id="test2">
</div>
</body>
</html>
Attachments (0)
Change History (4)
Changed December 04, 2007 08:37AM UTC by comment:1
Changed December 06, 2007 03:06AM UTC by comment:2
priority: | critical → major |
---|
Changed October 23, 2008 02:19AM UTC by comment:3
It's the HTML-to-DOM translation in jQuery.clean. A new div is created using context.createElement("div") and the incoming HTML converted by assigning to div.innerHTML. Since the div isn't attached to any document, IE seems to assume the worst and uses a restricted security zone. If you append the div to the document body before using innerHTML and remove it afterwards, the script is processed in the right zone:
// Go to html and back, then peel off extra wrappers context.getElementsByTagName("body")[0].appendChild(div); //hack div.innerHTML = wrap[1] + elem + wrap[2]; context.getElementsByTagName("body")[0].removeChild(div); //hack
This would need to be tightened up and tested; I'd hate to make jQuery.clean any slower. A workaround for the reporter would be to put all the scripts in the intranet-zone document and attach event handlers there rather than injecting them via html strings, which is the preferred way to do it anyway.
Changed July 11, 2010 07:00PM UTC by comment:4
resolution: | → fixed |
---|---|
status: | new → closed |
This was fixed in jQuery 1.4 using context.createElement("div") in jQuery.clean.
That is very odd. Unfortunately I have no idea how IE decided it was invalid. Does someone else know more about this problem?