Define a $.parseHTML method for creating HTML fragments
|Reported by:||dmethvin||Owned by:||dmethvin|
Currently, we try to sniff out HTML in whatever is passed to
$(), leading to problems like #9521 where the developer sends untrusted input to jQuery. Any real fix to #9521 that plugs all the holes is likely to create situations where we reject HTML strings that we previously accepted.
By creating a
$.html() method we can let the developer be explicit that they want to create a fragment from HTML and accept any consequences, rather than let
$() guess it. Over the next few versions we could tighten down
$() to say that any HTML string passed to it must begin and end with angle brackets--no spaces or text on the ends--which might allow us to avoid the regex check.
If we had this new method, what should it return? Seems like a jQuery object with the nodes would be the most obvious, but it could return a plain Array of nodes or a documentFragment with the nodes.
I'm also open to bikeshedding on the method name, since it's not an analog to
$.fn.html so perhaps
$.nodes or similar.
Change History (12)
comment:3 Changed 5 years ago by
|Component:||unfiled → manipulation|
|Owner:||set to dmethvin|
|Priority:||undecided → low|
|Status:||new → assigned|
|Type:||bug → feature|
comment:4 Changed 5 years ago by
|Milestone:||None → 1.8|
|Summary:||Define a $.html method for creating HTML fragments → Define a $.parseHTML method for creating HTML fragments|