Bug Tracker

Opened 6 years ago

Closed 6 years ago

#13921 closed bug (duplicate)

parseHTML doesn't prevent script execution

Reported by: alisey Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 2.0.0
Keywords: Cc:
Blocked by: Blocking:

Description

This line creates an alert dialog:

jQuery.parseHTML('<img src="//" onerror="alert(\'Hey\')">');

Fiddle: http://jsfiddle.net/qvrY9/

But maybe sanitization is not jQuery's job, in which case a warning could be added to the documentation.

Change History (1)

comment:1 Changed 6 years ago by dmethvin

Resolution: duplicate
Status: newclosed

Duplicate of #11974.
There's no performant way to sanitize an arbitrary chunk of HTML, unfortunately. However, when code passes false (or defaults) to avoid running scripts it should also not assume that inline handlers or other scripty things like <meta refresh> will work. Even though we don't have a good cross-platform way to defeat these things, we'd use them if they are available.

There is an open docs ticket for this already (see #11974 and #12428) so I'll close this.

Note: See TracTickets for help on using tickets.