Missing feature in (<div>).innerHTML

[GoogleCodeExporter]

A jQuery test executes:

  aDiv.innerHTML = "<script>jQuery.foo='test';</script>";

but this leaves 'aDiv' unmodified. Investigate and figure out why.

Original issue reported on code.google.com by ihab.a...@gmail.com on 3 Jul 2013 at 12:05

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Verified in the Playground, and also, setting:

  aDiv.innerHTML= "<div>something</div>";

does the correct thing, so we are just not properly hooking up innerHTML to the 
parsing of script nodes.

Original comment by ihab.a...@gmail.com on 3 Jul 2013 at 12:12

[GoogleCodeExporter]

For the purposes of the jQuery tests, creating _some_ <script> node as a child 
of 'aDiv' would suffice.

Original comment by ihab.a...@gmail.com on 3 Jul 2013 at 12:14

[GoogleCodeExporter]

The cause of this is that the .innerHTML setter is implemented as 
feral.innerHTML = sanitizeHtml(value); and the hooks which permit <script> (and 
these days, <style>) despite it being marked unsafe are implemented 
specifically in HtmlEmitter.

I think the most _straightforward_ way to get the correct semantics here is to 
instantiate a new HtmlEmitter independent of the existing one and point it at 
the target element (or possibly a document fragment), with an added flag to 
implement the “don't execute script” behavior of .innerHTML (follow 
whatever HTML5 says here). However, I am reasonably confident this would be 
very much slower than our current .innerHTML implementation.

Alternative is to set up the HTML sanitizer with a policy which permits 
<script> and <style>, but we don't have hooks for suppressing the script's body 
text. (In theory that doesn't matter, but it's too close to the edge for my 
taste.)

Original comment by kpreid.switchb.org on 13 Aug 2013 at 4:40

[GoogleCodeExporter]

Original comment by kpreid@google.com on 7 Nov 2013 at 9:21

• Added labels: Component-Domado