🌐 AI搜索 & 代理 主页
Skip to content

Manipulation: Don't remove HTML comments from scripts #4905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mgol merged 2 commits into from
Jul 19, 2021
Merged

Manipulation: Don't remove HTML comments from scripts #4905

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1fa169
Manipulation: Don't remove HTML comments from scripts
mgol Jul 15, 2021
a0bcaca
Update src/manipulation.js
mgol Jul 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Manipulation: Don't remove HTML comments from scripts 
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We still need to strip CDATA sections for backwards compatibility. This
shouldn't be needed as in XML documents they're already not visible when
inspecting element contents and in HTML documents they have no meaning but
we're preserving that logic for backwards compatibility. This will be removed
completely in 4.0.

Fixes gh-4904
  • Loading branch information
@mgol
mgol committed Jul 15, 2021
commit f1fa169507cb8645e099b84cc4a69d4fd1fe4c6e
9 changes: 8 additions & 1 deletion src/manipulation.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ var

// checked="checked" or checked
rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i,
rcleanScript = /^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g;

rcleanScript = /^\s*<!\[CDATA\[|\]\]>\s*$/g;

// Prefer a tbody over its parent table for containing new rows
function manipulationTarget( elem, content ) {
Expand Down Expand Up @@ -195,6 +196,12 @@ function domManip( collection, args, callback, ignored ) {
}, doc );
}
} else {

// Clean the CDATA sections from script contents. This shouldn't be
// needed as in XML documents they're already not visible when
// inspecting element contents and in HTML documents they have no
// meaning but we're preserving that logic for backwards compatibility.
// This will be removed completely in 4.0. See gh-4904.
DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
}
}
Expand Down
13 changes: 12 additions & 1 deletion test/unit/manipulation.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2268,7 +2268,7 @@ QUnit.test( "domManip plain-text caching (trac-6779)", function( assert ) {

QUnit.test( "domManip executes scripts containing html comments or CDATA (trac-9221)", function( assert ) {

assert.expect( 3 );
assert.expect( 4 );

jQuery( [
"<script type='text/javascript'>",
Expand All @@ -2293,6 +2293,17 @@ QUnit.test( "domManip executes scripts containing html comments or CDATA (trac-9
"//--><!]]>",
"</script>"
].join( "\n" ) ).appendTo( "#qunit-fixture" );

// ES2015 in Annex B requires HTML-style comment delimiters (`<!--` & `-->`) to act as
// single-line comment delimiters; i.e. they should be treated as `//`.
// See gh-4904
jQuery( [
"<script type='text/javascript'>",
"<!-- Same-line HTML comment",
"QUnit.assert.ok( true, '<!-- Same-line HTML comment' );",
"-->",
"</script>"
].join( "\n" ) ).appendTo( "#qunit-fixture" );
} );

testIframe(
Expand Down