Bug Tracker

Opened 7 years ago

Closed 7 years ago

#13638 closed bug (notabug)

jQuery.event.trigger with open/write will call document methods inadvertantly

Reported by: alex.wallace Owned by: alex.wallace
Priority: undecided Milestone: None
Component: unfiled Version: 1.9.1
Keywords: Cc:
Blocked by: Blocking:

Description

Simple example: http://jsfiddle.net/8UtFE/3/

Using $.event.trigger('write') or $.event.trigger('open') can result in calling document.open() or document.write() if the propagation is not stopped. I scanned the standard list of methods available on the document object and these are the only two that can be called with no arguments and result in adverse effects. The rest will at least throw an error, which is caught by the wrapping try/catch. But calling open() or write() will wipe the current document.

This affects 1.9.1, in latest Chrome, Firefox, IE9, and I would expect any other browser with open/write available on the document object. (all?) This issue is not present in earlier versions of jQuery.

Given that #6170 avoided the window object to avoid inadvertently calling global methods, this issue feels similar.

Change History (4)

comment:2 Changed 7 years ago by dmethvin

Owner: set to alex.wallace
Status: newpending

Why are you triggering those events on the document?

The behavior of calling the method is documented in .trigger(), as well as the recommendation to use .triggerHandler() if you don't want it. http://api.jquery.com/trigger/

There is already a api.jquery.com docs ticket to tell people not to use simple names for custom events. https://github.com/jquery/api.jquery.com/issues/125

comment:3 Changed 7 years ago by alex.wallace

Status: pendingnew

This was turned up due to having a custom event named "open.flyout". triggerHandler is what we need for this use case- thanks. This can be closed out.

comment:4 Changed 7 years ago by dmethvin

Resolution: notabug
Status: newclosed

Will do. I also noticed that the report was about $.event.trigger() which is an undocumented interface and that particular usage (just an event with no target element) will break as of jQuery 1.9.

Note: See TracTickets for help on using tickets.