Support Trusted Types #478
Comments
|
The PR has a discussion on this proposal. We're about to archive Sizzle and, in fact, jQuery versions from 3.7.0 & up do not rely on Sizzle. Therefore, we don't plan to address this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To support older browsers, Sizzle manipulates DOM by setting innerHTML property and then queries the results via querySelectorAll. This is problematic when Sizzle lib is used by a modern web app that enforces Trusted Types as all such assignments will fail.
It would be ideal to rewrite the code to avoid innerHTML and only use DOM manipulation methods such as createElement, appendChild or setAttribute. This might not be trivial though as such refactoring could change behavior in older browsers and break the functionality.
Alternatively, Sizzle could create custom Trusted Types policy and use method createHTML for all custom HTML strings.
See https://w3c.github.io/webappsec-trusted-types/dist/spec/ for more details about the spec.
The text was updated successfully, but these errors were encountered: