html5shiv Vulnerability.

[prakash-patel]

I use sonarQube for code analysis and it's gave me vulnerability for for html5shiv.js and html5shiv-printshiv.js file.

• html5shive.js line #204
• html5shive-printshive.js line #204

I updated code as below. Am i missing anything in below function.

ownerDocument.createDocumentFragment = function(h,f){
    return function(){ 
      var n=f.cloneNode(),c=n.createElement;
      h.shivMethods&&(
        // unroll the `createElement` calls
        getElements().join().replace(/[\w\-:]+/g, function(nodeName) {
          data.createElem(nodeName);
          data.frag.createElement(nodeName);
          return c("' + nodeName + '");
        }) 
      );
      return n;
    };
    }(html5, data.frag); 
  }

If you think this need to be change. I can create a pull request.

[zg]

Why don't you open the pull request and get feedback there instead?

[prakash-patel]

@zg I have created PR. I am not sure how to test my changes.

[aborkowski]

You are indeed missing something: The original Function constructor is used here precisely due to the evaluation of the string arguments (which is what SonarQube complains about). This is intended in order to "unroll the createElement calls". The original function body is generated as text in order to inline function calls and thereby unroll a loop which would be required otherwise (and cache the state at function creation), with one call to c() (and thereby n.createElement()) for each element. Your version calls the function c() with the string ' + nodeName + ' (literally) for each element instead. Hope this explains it. Have a look at the version of the code before the change in 189e939a925c53f3c8e76ae131882937980b8539.