diff --git a/source b/source index 4b8ccc17160..aa0fb43a5e2 100644 --- a/source +++ b/source @@ -3369,8 +3369,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute DOMPARSING

The following features are defined in Selection API: SELECTION

@@ -55937,7 +55937,7 @@ interface HTMLLegendElement : HTMLElement { owner of "e" would be the outer form "a".

This happens as follows: First, the "e" node gets associated with "c" in the HTML - parser. Then, the innerHTML algorithm moves the nodes + parser. Then, the innerHTML algorithm moves the nodes from the temporary document to the "b" element. At this point, the nodes see their ancestor chain change, and thus all the "magic" associations done by the parser are reset to normal ancestor associations.

@@ -61875,7 +61875,7 @@ interface HTMLScriptElement : HTMLElement {

When inserted using the document.write() method, script elements usually execute (typically blocking further script execution or HTML parsing). When inserted using the - innerHTML and outerHTML + innerHTML and outerHTML attributes, they do not execute at all.

The defer attribute may be specified even if the 

partial interface Element {
   [CEReactions] undefined setHTMLUnsafe(HTMLString html);
   DOMString getHTML(optional GetHTMLOptions options = {});
+
+  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
 };
 
 partial interface ShadowRoot {
   [CEReactions] undefined setHTMLUnsafe(HTMLString html);
   DOMString getHTML(optional GetHTMLOptions options = {});
+
+  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
 };
 
 dictionary GetHTMLOptions {
@@ -112709,6 +112713,135 @@ enum DOMParserSupportedType {
 
   
 
+  
The innerHTML property

+
+  
The innerHTML property has a number of outstanding issues
+  in the DOM Parsing and Serialization issue
+  tracker, documenting various problems with its specification.

+
+  

+   
element.innerHTML

+   

+    
Returns a fragment of HTML or XML that represents the element's contents.

+
+    
In the case of an XML document, throws a "InvalidStateError"
+    DOMException if the element cannot be serialized to XML.

+   

+   
element.innerHTML = value

+   

+    
Replaces the contents of the element with nodes parsed from the given string.

+
+    
In the case of an XML document, throws a "SyntaxError"
+    DOMException if the given string is not well-formed.

+   

+
+   
shadowRoot.innerHTML

+   

+    
Returns a fragment of HTML that represents the shadow roots's contents.

+   

+
+   
shadowRoot.innerHTML = value

+   

+    
Replaces the contents of the shadow root with nodes parsed from the given string.

+   

+  

+
+  
These properties' setters perform no sanitization to remove
+  potentially-dangerous elements and attributes like script or event handler
+  content attributes.

+
+  

+
+  
The fragment serializing algorithm steps, given an Element or
+  DocumentFragment node and a boolean require well-formed,
+  are:

+
+  
    
+    
  1. Let context document be node's node document.
    2. 
+
+    
  2. If context document is an HTML document,
+    return the result of HTML fragment serialization algorithm with node,
+    false, and « ».
    3. 
+
+    
  3. Return the XML serialization of node
+    given require well-formed.
    4. 
+  

+
+  
The fragment parsing algorithm steps, given an Element or
+  DocumentFragment context and a string markup, are:

+
+  
    
+    
  1. Let algorithm be the HTML fragment parsing algorithm.
    2. 
+
+    
  2. If context's node document is an XML document, then set algorithm to the XML fragment parsing
+    algorithm.
    3. 
+
+    
  3. Let new children be the result of invoking algorithm given
+    markup, with context set to
+    context.
    4. 
+
+    
  4. Let fragment be a new DocumentFragment whose node
+    document is context's node document.
    5. 
+
+    
  5. 
+     
    Append each Node in new
+     children to fragment (in tree order).
    
+
+     
    This ensures the node document for the new nodes is correct.
    
+    
    6. 
+
+    
  6. Return fragment.
    7. 
+  

+
+  
Element's innerHTML getter steps are to return the result of
+  running fragment serializing algorithm steps with this and true.

+
+  
ShadowRoot's innerHTML getter steps are to return the result of
+  running fragment serializing algorithm steps with this and true.

+
+  
Element's innerHTML setter steps
+  are:

+
+  
    
+    
  1. Let context be this.
    2. 
+
+    
  2. Let fragment be the result of invoking the fragment parsing algorithm
+    steps with context and the given value.
    3. 
+
+    
  3. 
+     
    If context is a template element, then set context to
+     the template element's template contents (a
+     DocumentFragment).
    
+
+     
    Setting innerHTML on a
+     template element will replace all the nodes in its template contents
+     rather than its children.
    
+    
    4. 
+
+    
  4. Replace all with fragment
+    within context.
    5. 
+  

+
+  
ShadowRoot's innerHTML setter
+  steps are:

+
+  
    
+    
  1. Let context be this's host.
    2. 
+
+    
  2. Let fragment be the result of invoking the fragment parsing algorithm
+    steps with context and the given value.
    3. 
+
+    
  3. Replace all with fragment
+    within this.
    4. 
+  

+
+  

+
   
Timers

 
   
The setTimeout() and This can enable cross-site scripting attacks. An example of this would be a page that lets the
    user enter some font family names that are then inserted into a CSS style block via
-   the DOM and which then uses the innerHTML IDL attribute to get
+   the DOM and which then uses the innerHTML IDL attribute to get
    the HTML serialization of that style element: if the user enters
    "</style><script>attack</script>" as a font family name, innerHTML will return markup that, if parsed in a different context,
+   data-x="dom-element-innerHTML">innerHTML will return markup that, if parsed in a different context,
    would contain a script node, even though no script node existed in the
    original DOM.