Define a $.parseHTML method for creating HTML fragments
|Reported by:||dmethvin||Owned by:||dmethvin|
Currently, we try to sniff out HTML in whatever is passed to $(), leading to problems like #9521 where the developer sends untrusted input to jQuery. Any real fix to #9521 that plugs all the holes is likely to create situations where we reject HTML strings that we previously accepted.
By creating a $.html() method we can let the developer be explicit that they want to create a fragment from HTML and accept any consequences, rather than let $() guess it. Over the next few versions we could tighten down $() to say that any HTML string passed to it must begin and end with angle brackets--no spaces or text on the ends--which might allow us to avoid the regex check.
If we had this new method, what should it return? Seems like a jQuery object with the nodes would be the most obvious, but it could return a plain Array of nodes or a documentFragment with the nodes.
I'm also open to bikeshedding on the method name, since it's not an analog to $.fn.html so perhaps $.fragment, $.nodes or similar.
Change History (12)
comment:3 Changed 4 years ago by rwaldron
- Component changed from unfiled to manipulation
- Owner set to dmethvin
- Priority changed from undecided to low
- Status changed from new to assigned
- Type changed from bug to feature
comment:4 Changed 4 years ago by dmethvin
- Milestone changed from None to 1.8
- Summary changed from Define a $.html method for creating HTML fragments to Define a $.parseHTML method for creating HTML fragments
comment:8 Changed 4 years ago by timmywil
- Resolution set to fixed
- Status changed from assigned to closed