Bug Tracker

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#14464 closed bug (notabug)

jQuery.html() does not correctly parse input values with "/>"

Reported by: accounts@… Owned by:
Priority: low Milestone: None
Component: manipulation Version: 2.0.3
Keywords: Cc:
Blocked by: #14370 Blocking:

Description

Examine the following code:

$(document.body).html('<select><option value="!/>">Test</option></select>');

The markup inserted into the DOM is this:

<select><option value="!></option>">Test</option></select>

See jsfiddle here:

http://jsfiddle.net/wEp5p/

There is no requirement in jQuery.html() documentation that says the string passed in MUST BE HTML-encoded.

However, in this example, jQuery.html() does not act correctly UNLESS it IS HTML-encoded.

Change History (2)

comment:1 Changed 6 years ago by dmethvin

Resolution: notabug
Status: newclosed

There are many things we don't state in the documentation because they seem rather obvious. http://www.w3.org/International/questions/qa-escapes#use

comment:2 Changed 6 years ago by gibson042

Blocked by: 14370 added
Component: unfiledmanipulation
Priority: undecidedlow

HTML5 throws in a monkey wrench, but in my opinion it's pointless to fix this without a more sophisticated regular expression, and I remain convinced that such an improvement does not offer enough value to justify its large size.

At most, I could see exposing pre-innerHTML replacement arguments as properties of jQuery for users to tweak if they want to accommodate such edge cases.

Note: See TracTickets for help on using tickets.