Skip to main content

Bug Tracker

Side navigation

#1734 closed bug (fixed)

Opened September 26, 2007 12:13PM UTC

Closed July 11, 2010 07:00PM UTC

html(val) in IE6/7: inserted content has allways security zone "internet"

Reported by: daniel Owned by:
Priority: major Milestone: 1.2.2
Component: core Version: 1.2.1
Keywords: Cc:
Blocked by: Blocking:

When javascript is disabled for the zone "internet" and the following page is started from a zone with javascript enabled (eg. local filesystem or from a domain marked as trusted site) the first links produced by html(val) dosn't work. The second works.

This is a critial bug. In some intranets it isn't possible to enable javascript for the zone "internet".

<!DOCTYPE html PUBLIC "-W3CDTD XHTML 1.0 TransitionalEN"


<html xmlns="">

<head id="Head1">

<meta name="generator" content="HTML Tidy, see" />

<title>Unbenannte Seite</title>

<script type="text/javascript" src="js/jquery-1.2.1.js"></script>



$("#test1").html("<a onclick=\\"alert('html(val)')\\" href=\\"#\\">html(val)</a>");

document.getElementById("test2").innerHTML="<a onclick=\\"alert('innerHTML')\\" href=\\"#\\">innerHTML</a>";





<div id="test1">


<div id="test2">




Attachments (0)
Change History (4)

Changed December 04, 2007 08:37AM UTC by davidserduke comment:1

That is very odd. Unfortunately I have no idea how IE decided it was invalid. Does someone else know more about this problem?

Changed December 06, 2007 03:06AM UTC by davidserduke comment:2

priority: criticalmajor

Changed October 23, 2008 02:19AM UTC by dmethvin comment:3

It's the HTML-to-DOM translation in jQuery.clean. A new div is created using context.createElement("div") and the incoming HTML converted by assigning to div.innerHTML. Since the div isn't attached to any document, IE seems to assume the worst and uses a restricted security zone. If you append the div to the document body before using innerHTML and remove it afterwards, the script is processed in the right zone:

// Go to html and back, then peel off extra wrappers
context.getElementsByTagName("body")[0].appendChild(div);  //hack
div.innerHTML = wrap[1] + elem + wrap[2];
context.getElementsByTagName("body")[0].removeChild(div);  //hack

This would need to be tightened up and tested; I'd hate to make jQuery.clean any slower. A workaround for the reporter would be to put all the scripts in the intranet-zone document and attach event handlers there rather than injecting them via html strings, which is the preferred way to do it anyway.

Changed July 11, 2010 07:00PM UTC by dmethvin comment:4

resolution: → fixed
status: newclosed

This was fixed in jQuery 1.4 using context.createElement("div") in jQuery.clean.