| commit | 4250b628783d7bfa92ec6c5550c6e4b22fab6034 | |
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | |
| Mon, 1 Nov 2021 17:10:23 +0000 (1 18:10 +0100) | ||
| committer | GitHub <noreply@github.com> | |
| Mon, 1 Nov 2021 17:10:23 +0000 (1 18:10 +0100) | ||
| tree | 10fbd9709b4cc929b92e3f394332667846aed330 | treesnapshot (tar.gz zip) |
| parent | 4fd6912bfd8fffbfabc98a9b0789d28f10af0914 | commitdiff |
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.
Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.
Fixes gh-4948
Closes gh-4949
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.
Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.
Fixes gh-4948
Closes gh-4949
| src/attributes/attr.js | diffblobblamehistory | |
| test/data/mock.php | diffblobblamehistory | |
| test/data/trusted-types-attributes.html | [new file with mode: 0644] | blob |
| test/data/trusted-types-attributes.js | [new file with mode: 0644] | blob |
| test/middleware-mockserver.js | diffblobblamehistory | |
| test/unit/attributes.js | diffblobblamehistory |