zc2
asked on
Safary XSLTProcessor removes event handler attributes
In this fiddle: https://jsfiddle.net/q3d10wmv/
How to make XSLTProcessor of Safari browser (tested on macOS 10.15.7 Catalina) not to remove the onclick attribute?
Expected result:
How to make XSLTProcessor of Safari browser (tested on macOS 10.15.7 Catalina) not to remove the onclick attribute?
Expected result:
<a href="javascript:void(0);" onclick="alert(1);">1 </a>
On Safari:<a href="javascript:void(0);">1 </a>
ASKER
That's right, on iOS it works fine. The problem is only on macOS.
I noticed, the onclick is not removed when transformToFragment() is used
I've had issues to use it though, since a lack of support of disable-output-escaping="y es" on some browsers, etc.
I noticed, the onclick is not removed when transformToFragment() is used
I've had issues to use it though, since a lack of support of disable-output-escaping="y
ASKER
transformToFragment()
Even though disable-output-escaping="y es" is supported in WebKit, there is another problem - it removes the <td> elements if it is not inside a table. Here is a fiddle: https://jsfiddle.net/69oem 2b7/9
Even though disable-output-escaping="y
I think you should avoid disable-output-escaping as much as possible anyway
You parse the result document as an XML.
Have you tried to explicitly set the output method to XML?
as your result is a fragment of HTML, the serialiser might have another opinion
<xsl:output method="xml"/>
There is a bit of parsing and serialisation going on, I guess the problem is the XML string to HTML innerText filtering
You could try to set the serialisation to html
<xsl:output method="html"/>
and set the innerHTML instead
it would save you the extra serializeToString on line 20
But I can not test any of those by lacking a macOS system
You parse the result document as an XML.
Have you tried to explicitly set the output method to XML?
as your result is a fragment of HTML, the serialiser might have another opinion
<xsl:output method="xml"/>
There is a bit of parsing and serialisation going on, I guess the problem is the XML string to HTML innerText filtering
You could try to set the serialisation to html
<xsl:output method="html"/>
and set the innerHTML instead
it would save you the extra serializeToString on line 20
But I can not test any of those by lacking a macOS system
ASKER
should avoid disable-output-escaping as much as possibleI don't know how else can I output data which is actually an HTML (say from a database field)
Have you tried to explicitly set the output method to XML?Having an explicit output method xml does not change a thing.
Actually, in the real sites I always set the method to xml with
<xsl:output method="xml" encoding="windows-1252" omit-xml-declaration="no" />
I'd prefer not to use the html method because in some cases a transformation output is an input for another transformation.I guess the problem is the XML string to HTML innerText filteringNo, it is filtered out during the transformation, not the serialization or innerHTML insertion. I added the following line, it shows null (on macOS Safari only)
alert(res_d.documentElement.getAttribute("onclick"));
OK, I see
Fragile as it seems, different approaches to the same, might lead to different results
Have you tried adding the attributes with an xsl:attribute instead of literal attributes in the a element?
It is a slightly different construction of the output tree, so it might have an effect
It also protects you in case the parseFromString gets it out from the XSLT source rightaway
But shooting in the dark with this
Fragile as it seems, different approaches to the same, might lead to different results
Have you tried adding the attributes with an xsl:attribute instead of literal attributes in the a element?
It is a slightly different construction of the output tree, so it might have an effect
It also protects you in case the parseFromString gets it out from the XSLT source rightaway
But shooting in the dark with this
ASKER
Just tried, to declare the onclick as <xsl:attribute name="onclick">alert(1);</ xsl:attrib ute>
Still omitted from the result.
I found a solution, but I am pretty much uncertain it would not bring me other troubles somewhere (see below).
It consists of the following:
1. use transformToFragment() to transform
2. output method="xml"
3. All XSLT files, top level and imported utility have to declare the namespace xmlns="http://www.w3.org/1999/xhtml"
Here is a fiddle: https://jsfiddle.net/w9tud sy8/1/
It inserts xmlns="http://www.w3.org/1999/xhtml" in all output nodes, and I don't know how to get rid of it.
Also, I am not sure as it might change the browser behaviour in some part. All the site pages have <!DOCTYPE html> making them HTML5 compatible. I afraid that having the namespace xmlns="http://www.w3.org/1999/xhtml" would modify that somehow.
Still omitted from the result.
I found a solution, but I am pretty much uncertain it would not bring me other troubles somewhere (see below).
It consists of the following:
1. use transformToFragment() to transform
2. output method="xml"
3. All XSLT files, top level and imported utility have to declare the namespace xmlns="http://www.w3.org/1999/xhtml"
Here is a fiddle: https://jsfiddle.net/w9tud
It inserts xmlns="http://www.w3.org/1999/xhtml" in all output nodes, and I don't know how to get rid of it.
Also, I am not sure as it might change the browser behaviour in some part. All the site pages have <!DOCTYPE html> making them HTML5 compatible. I afraid that having the namespace xmlns="http://www.w3.org/1999/xhtml" would modify that somehow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
so it might be something macOS related only
Just to see the the processor used in all cases I did this fiddle
https://jsfiddle.net/gq82a3tb/
but it does not seem to help
(I also did add the version attribute to the stylesheet element, even when not used it still is mandatory in a stylesheet)