Skip to content

jQuery.param: Updated version for traditional flag #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AurelioDeRosa wants to merge 16 commits into from
Closed

jQuery.param: Updated version for traditional flag #932

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
71d8a08
removeAttr: update note on support in IE
arthurvr Feb 11, 2015
7ac9ef5
child-selector: remove sentence about browser support
arthurvr Feb 24, 2015
0669a93
Ajax: Update notes about jqXHR.success(), .error() and .complete()
arthurvr Mar 2, 2015
5065c15
unwrap: add `selector` argument
arthurvr Apr 9, 2015
2a82d39
Selector: correct `removed` version number
arthurvr Apr 6, 2015
b3d0a3f
Context: removed in 3.0
arthurvr Apr 9, 2015
742c377
jQuery.uniqueSort: add new entry, deprecate `jQuery.unique()`
arthurvr May 7, 2015
66a42ea
wrapAll: change description of function argument
arthurvr May 24, 2015
270b518
data: Document behavior changes
AurelioDeRosa Jun 14, 2015
d0e7282
Visibility filters: Specified new behavior
AurelioDeRosa Jul 27, 2015
4e65b6d
isNumeric: Updated description based on new behavior
AurelioDeRosa Oct 18, 2015
4651f44
Document that addClass and removeClass change the attribute
AurelioDeRosa Dec 14, 2015
0e81757
toggleClass: Document deprecation of a signature
AurelioDeRosa Jan 8, 2016
d3b74ac
jQuery.parseJSON: Added deprecation note for jQuery 3
AurelioDeRosa Mar 11, 2016
853a06b
jQuery.parseHTML: Specified behavior of version 3
AurelioDeRosa Apr 7, 2016
a574bf5
jQuery.param: Updated version for traditional flag
AurelioDeRosa May 20, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
jQuery.parseHTML: Specified behavior of version 3 
Fixes gh-903
Closes gh-907
  • Loading branch information
@AurelioDeRosa
AurelioDeRosa committed Apr 8, 2016
commit 853a06b97d738c406b6fb7267b5040b8674e682d
1 change: 1 addition & 0 deletions entries/jQuery.parseHTML.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
<longdesc>
<p><code>jQuery.parseHTML</code> uses native methods to convert the string to a set of DOM nodes, which can then be inserted into the document. These methods do render all trailing or leading text (even if that's just whitespace). To prevent trailing/leading whitespace from being converted to text nodes you can pass the HTML string through <a href="/jQuery.trim/"><code>jQuery.trim</code></a>.</p>
<p>By default, the <code>context</code> is the current <code>document</code> if not specified or given as <code>null</code> or <code>undefined</code>. If the HTML was to be used in another document such as an iframe, that frame's document could be used.</p>
<p>As of 3.0 the default behavior is changed. If the <code>context</code> is not specified or given as <code>null</code> or <code>undefined</code>, a new <code>document</code> is used. This can potentially improve security because inline events will not execute when the HTML is parsed. Once the parsed HTML is injected into a document it does execute, but this gives tools a chance to traverse the created DOM and remove anything deemed unsafe. This improvement does not apply to internal uses of <code>jQuery.parseHTML</code> as they usually pass in the current <code>document</code>. Therefore, a statement like <code>$( "#log" ).append( $( htmlString ) )</code> is still subject to the injection of malicious code.</p>
<h2>Security Considerations</h2>
<p>Most jQuery APIs that accept HTML strings will run scripts that are included in the HTML. <code>jQuery.parseHTML</code> does not run script in the parsed HTML unless <code>keepScripts</code> is explicitly <code>true</code>. However, it is still possible in most environments to execute script indirectly, for example via the <code>&lt;img onerror&gt;</code> attribute. The caller should be aware of this and guard against it by cleaning or escaping any untrusted inputs from sources such as the URL or cookies. For future compatibility, callers should not depend on the ability to run <em>any</em> script content when <code>keepScripts</code> is unspecified or <code>false</code>.</p>
</longdesc>
Expand Down