#14464 closed bug (notabug)
jQuery.html() does not correctly parse input values with "/>"
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | low | Milestone: | None |
Component: | manipulation | Version: | 2.0.3 |
Keywords: | Cc: | ||
Blocked by: | #14370 | Blocking: |
Description
Examine the following code:
$(document.body).html('<select><option value="!/>">Test</option></select>');
The markup inserted into the DOM is this:
<select><option value="!></option>">Test</option></select>
See jsfiddle here:
There is no requirement in jQuery.html() documentation that says the string passed in MUST BE HTML-encoded.
However, in this example, jQuery.html() does not act correctly UNLESS it IS HTML-encoded.
Change History (2)
comment:1 Changed 10 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
comment:2 Changed 10 years ago by
Blocked by: | 14370 added |
---|---|
Component: | unfiled → manipulation |
Priority: | undecided → low |
HTML5 throws in a monkey wrench, but in my opinion it's pointless to fix this without a more sophisticated regular expression, and I remain convinced that such an improvement does not offer enough value to justify its large size.
At most, I could see exposing pre-innerHTML replacement arguments as properties of jQuery
for users to tweak if they want to accommodate such edge cases.
There are many things we don't state in the documentation because they seem rather obvious. http://www.w3.org/International/questions/qa-escapes#use