🔒️ fix CVE-2020-11023

Author: ctcpip

src/manipulation/support.js

@@ -26,6 +26,12 @@ define( [
 	// Make sure textarea (and checkbox) defaultValue is properly cloned
 	div.innerHTML = "<textarea>x</textarea>";
 	support.noCloneChecked = !!div.cloneNode( true ).lastChild.defaultValue;
+
+	// Support: IE <=9 only
+	// IE <=9 replaces <option> tags with their contents when inserted outside of
+	// the select element.
+	div.innerHTML = "<option></option>";
+	support.option = !!div.lastChild;
 } )();
 
 return support;

src/manipulation/wrapMap.js

@@ -1,11 +1,10 @@
-define( function() {
+define( [
+	"./support"
+], function( support ) {
 
 // We have to close these tags to support XHTML (#13200)
 var wrapMap = {
 
-	// Support: IE9
-	option: [ 1, "<select multiple='multiple'>", "</select>" ],
-
 	// XHTML parsers do not magically insert elements in the
 	// same way that tag soup parsers do. So we cannot shorten
 	// this by omitting <tbody> or other required elements.
@@ -17,11 +16,13 @@ var wrapMap = {
 	_default: [ 0, "", "" ]
 };
 
-// Support: IE9
-wrapMap.optgroup = wrapMap.option;
-
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <=9 only
+if ( !support.option ) {
+	wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple='multiple'>", "</select>" ];
+}
+
 return wrapMap;
 } );

test/unit/manipulation.js

@@ -2558,17 +2558,13 @@ QUnit.test( "Make sure specific elements with content created correctly (#13232)
 } );
 
 QUnit.test( "Validate creation of multiple quantities of certain elements (#13818)", function( assert ) {
-	assert.expect( 44 );
+	assert.expect( 22 );
 
 	var tags = [ "thead", "tbody", "tfoot", "colgroup", "col", "caption", "tr", "th", "td", "optgroup", "option" ];
 
 	jQuery.each( tags, function( index, tag ) {
-		jQuery( "<" + tag + "/><" + tag + "/>" ).each( function() {
-			assert.ok( jQuery.nodeName( this, tag ), tag + " empty elements created correctly" );
-		} );
-
-		jQuery( "<" + this + "></" + tag + "><" + tag + "></" + tag + ">" ).each( function() {
-			assert.ok( jQuery.nodeName( this, tag ), tag + " elements with closing tag created correctly" );
+		jQuery( "<" + tag + "></" + tag + "><" + tag + "></" + tag + ">" ).each( function() {
+			assert.ok( this.nodeName.toLowerCase() === tag, tag + " elements created correctly" );
 		} );
 	} );
 } );

test/unit/support.js

@@ -67,6 +67,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -85,6 +86,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -142,6 +144,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -160,6 +163,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -178,6 +182,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -196,6 +201,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -214,6 +220,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": false,
@@ -232,6 +239,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -250,6 +258,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -268,6 +277,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -286,6 +296,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": true,
@@ -304,6 +315,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": true,
 			"optSelected": true,
 			"pixelMarginRight": false,
@@ -322,6 +334,7 @@ testIframeWithCallback(
 			"cors": true,
 			"focusin": false,
 			"noCloneChecked": true,
+			"option": true,
 			"optDisabled": false,
 			"optSelected": true,
 			"pixelMarginRight": true,