Bug Tracker

Opened 12 years ago

Closed 9 years ago

#1734 closed bug (fixed)

html(val) in IE6/7: inserted content has allways security zone "internet"

Reported by: daniel Owned by:
Priority: major Milestone: 1.2.2
Component: core Version: 1.2.1
Keywords: Cc: daniel.wiesner@…
Blocked by: Blocking:

Description

When javascript is disabled for the zone "internet" and the following page is started from a zone with javascript enabled (eg. local filesystem or from a domain marked as trusted site) the first links produced by html(val) dosn't work. The second works.

This is a critial bug. In some intranets it isn't possible to enable javascript for the zone "internet".

<!DOCTYPE html PUBLIC "-W3CDTD XHTML 1.0 TransitionalEN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">

<head id="Head1">

<meta name="generator" content="HTML Tidy, see www.w3.org" /> <title>Unbenannte Seite</title>

<script type="text/javascript" src="js/jquery-1.2.1.js"></script> <script>

$(document).ready(function(){

$("#test1").html("<a onclick=\"alert('html(val)')\" href=\"#\">html(val)</a>"); document.getElementById("test2").innerHTML="<a onclick=\"alert('innerHTML')\" href=\"#\">innerHTML</a>";

});

</script>

</head> <body>

<div id="test1">

</div> <div id="test2"> </div>

</body>

</html>

Change History (4)

comment:1 Changed 12 years ago by davidserduke

That is very odd. Unfortunately I have no idea how IE decided it was invalid. Does someone else know more about this problem?

comment:2 Changed 12 years ago by davidserduke

Priority: criticalmajor

comment:3 Changed 11 years ago by dmethvin

It's the HTML-to-DOM translation in jQuery.clean. A new div is created using context.createElement("div") and the incoming HTML converted by assigning to div.innerHTML. Since the div isn't attached to any document, IE seems to assume the worst and uses a restricted security zone. If you append the div to the document body before using innerHTML and remove it afterwards, the script is processed in the right zone:

// Go to html and back, then peel off extra wrappers
context.getElementsByTagName("body")[0].appendChild(div);  //hack
div.innerHTML = wrap[1] + elem + wrap[2];
context.getElementsByTagName("body")[0].removeChild(div);  //hack

This would need to be tightened up and tested; I'd hate to make jQuery.clean any slower. A workaround for the reporter would be to put all the scripts in the intranet-zone document and attach event handlers there rather than injecting them via html strings, which is the preferred way to do it anyway.

comment:4 Changed 9 years ago by dmethvin

Resolution: fixed
Status: newclosed

This was fixed in jQuery 1.4 using context.createElement("div") in jQuery.clean.

Note: See TracTickets for help on using tickets.