jQuery.htmlPrefilter: add new entry #858
Conversation
| <desc>Modify and filter HTML strings passed through <a href="/category/manipulation/">jQuery manipulation methods</a>.</desc> | ||
| <signature> | ||
| <added>1.12/2.2</added> | ||
| <argument name="html" type="String"> |
There was a problem hiding this comment.
The type is correct but I wonder if we could use htmlString.
There was a problem hiding this comment.
Actually, I think String is more correct. Strings passed to this function do not need to conform to the constraints laid out by htmlString (for instance, starting with a "<").
|
PR reviewed @timmywil. I think I've been very pedantic, so apologize in advance. |
|
|
||
| <pre><code> | ||
| $.htmlPrefilter = function( html ) { | ||
| return html.replace( /<script[^<]*<\/script>/g, "" ); |
There was a problem hiding this comment.
This example is broken in a few ways:
- It overwrites the default
jQuery.htmlPrefilter, but should instead wrap it like our unit test. - It isn't broad enough to function as claimed. A better regex would be
/<script(?=[\x20\t\r\n\f>])[\w\W]*?<\/script([\x20\t\r\n\f][\w\W]*?|)>/gi, but even that isn't perfect. - It touches on the sensitive subject of script injection. It might be better to remove something more innocuous, like
<del>.
Also, since we're providing sample code anyway, I was hoping to seize this opportunity to publish a fix for jquery/jquery/issues/2668 (which is the reason why it took me so long to address gh-727):
var panything = "[\\w\\W]*?",
// Whitespace
// https://html.spec.whatwg.org/multipage/infrastructure.html#space-character
pspace = "[\\x20\\t\\r\\n\\f]",
// End of tag name (whitespace or greater-than)
pnameEnd = pspace.replace( "]", ">]" ),
// Tag name (a leading letter, then almost anything)
// https://html.spec.whatwg.org/multipage/syntax.html#tag-open-state
// https://html.spec.whatwg.org/multipage/syntax.html#tag-name-state
pname = "[a-z]" + pnameEnd.replace( "[", "[^/\\0" ) + "*",
// Void element (end tag prohibited)
// https://html.spec.whatwg.org/multipage/syntax.html#void-elements
pvoidName = "(?:area|base|br|col|embed|hr|img|input|keygen|link|menuitem|meta|param|" +
"source|track|wbr)(?=" + pnameEnd + ")",
// Attributes (double-quoted value, single-quoted value, unquoted value, or no value)
// https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
pattrs = "(?:" + pspace + "+[^\\0-\\x20\\x7f-\\x9f=\"'/>]+(?:" + pspace + "*=" + pspace +
"*(?:\"" + panything + "\"|'" + panything + "'|" +
pnameEnd.replace( "[", "[^" ) + "*(?!/)" +
")|))*" + pspace + "*",
// Trailing content of a close tag
pcloseTail = "(?:" + pspace + panything + "|)",
rspecialHtml = new RegExp(
// Non-void element that self-closes: $1–$5
"(<)(?!" + pvoidName + ")(" + pname + ")(" + pattrs + ")(\\/)(>)|" +
// No-innerHTML container (element, comment, or CDATA): $6
"(<(script|style|textarea)" + pattrs + ">" + panything + "<\\/\\7" + pcloseTail + ">|" +
"<!--" + panything + "--)",
"gi"
),
// "<"; element name; attributes; ">"; "<"; "/"; element name; ">"; no-innerHTML container
pspecialReplacement = "$1$2$3$5$1$4$2$5$6";
jQuery.htmlPrefilter = function( html ) {
return (html + "").replace( rspecialHtml, pspecialReplacement );
};Everything above rspecialHtml = … could be relegated to a footnote, commented out, or omitted altogether.
There was a problem hiding this comment.
@gibson042 Thanks, I was sure you had a long comment for me. ;)
There was a problem hiding this comment.
Thank you for jumping on this. I had let it sit for far too long.
|
Updated. |
|
@gibson042 If you have time to review the example and give me your thumbs up, I'll merge the PR. |
|
LGTM 👍 |
/cc @gibson042 @kswedberg @AurelioDeRosa
Fixes gh-727