github/jquery
1
1
Fork 0
mirror of https://github.com/jquery/jquery.git synced 2026-01-14 23:27:59 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
jquery/test/data/trusted-types-attributes.html
Michał Gołębiowski-Owczarek 4250b62878 Attributes: Don't stringify attributes in the setter 
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.

Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.

Fixes gh-4948
Closes gh-4949
2021-11-01 18:10:23 +01:00

62 lines
1.5 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset=utf-8 />
<title>Trusted HTML attribute tests</title>
</head>
<body>
<div id="qunit-fixture"></div>
<script src="../../dist/jquery.js"></script>
<script src="iframeTest.js"></script>
<script>
var i, input, elem, policy,
results = [];
function runTests( messagePrefix, getTrustedScriptUrlWrapper ) {
try {
elem = jQuery( "<script><\/script>" )
.attr( "src", getTrustedScriptUrlWrapper( "trusted-types-attributes.js" ) );
elem.appendTo( document.body );
results.push( {
actual: elem.attr( "src" ),
expected: "trusted-types-attributes.js",
message: messagePrefix + ": script URL properly set"
} );
} catch ( e ) {
results.push( {
actual: "error thrown",
expected: "",
message: messagePrefix + ": error has been thrown"
} );
}
}
if ( typeof trustedTypes !== "undefined" ) {
policy = trustedTypes.createPolicy( "jquery-test-policy", {
createScriptURL: function( html ) {
return html;
}
} );
runTests( "TrustedScriptURL", function wrapInTrustedScriptUrl( input ) {
return policy.createScriptURL( input );
} );
} else {
// No TrustedScriptURL support so let's at least run tests with object wrappers
// with a proper `toString` function. See trusted-html.html for more context.
runTests( "Object wrapper", function( input ) {
return {
toString: function toString() {
return input;
}
};
} );
}
startIframeTest( results );
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink