diff --git a/source b/source index 8639eb9e205..58fb79c8174 100644 --- a/source +++ b/source @@ -3369,8 +3369,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute DOMPARSING

The following features are defined in Selection API: SELECTION

@@ -55937,7 +55937,7 @@ interface HTMLLegendElement : HTMLElement { owner of "e" would be the outer form "a".

This happens as follows: First, the "e" node gets associated with "c" in the HTML - parser. Then, the innerHTML algorithm moves the nodes + parser. Then, the innerHTML algorithm moves the nodes from the temporary document to the "b" element. At this point, the nodes see their ancestor chain change, and thus all the "magic" associations done by the parser are reset to normal ancestor associations.

@@ -61875,7 +61875,7 @@ interface HTMLScriptElement : HTMLElement {

When inserted using the document.write() method, script elements usually execute (typically blocking further script execution or HTML parsing). When inserted using the - innerHTML and outerHTML + innerHTML and outerHTML attributes, they do not execute at all.

The defer attribute may be specified even if the 

partial interface Element {
   [CEReactions] undefined setHTMLUnsafe(HTMLString html);
   DOMString getHTML(optional GetHTMLOptions options = {});
+  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
 };
 
 partial interface ShadowRoot {
   [CEReactions] undefined setHTMLUnsafe(HTMLString html);
   DOMString getHTML(optional GetHTMLOptions options = {});
+  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
 };
 
 dictionary GetHTMLOptions {
@@ -112673,6 +112675,9 @@ enum DOMParserSupportedType {
    
   
 
+  
These properties perform no sanitization to remove potentially-dangerous elements
+  and attributes like script or event handler content attributes.

+
   

 
   
Element's DOMParserSupportedType {
 
   

 
+  
innerHTML property

+
+  

+   
element.innerHTML [ = value ]

+   

+    
Returns a fragment of HTML or XML that represents the element's contents.
+
+    
Can be set, to replace the contents of the element with nodes parsed from the given string.
+
+    
In the case of an XML document, throws a "InvalidStateError"
+    DOMException if the element cannot be serialized to XML, or a
+    "SyntaxError" DOMException if the given string is not
+    well-formed.
+   

+
+   
shadowRoot.innerHTML [ = value ]

+   

+    
Returns a fragment of HTML that represents the shadow roots's contents.
+
+    
Can be set, to replace the contents of the shadow root with nodes parsed from the given
+    string.

+   

+  

+
+  

+
+  
The fragment serializing algorithm steps, given a DOM Element
+  or DocumentFragment referred to as node and a flag require
+  well-formed, are:

+
+  
    
+    
  1. Let context document be the value of node's node
+    document.
    2. 
+
+    
  2. If context document is an HTML document,
+    return the result of HTML fragment serialization algorithm with node,
+    false, and « ».
    3. 
+
+    
  3. Otherwise, context document is an XML
+    document; return an XML serialization of
+    node passing the flag require well-formed.
    4. 
+  

+
+  
The fragment parsing algorithm steps, given a DOM Element or
+  DocumentFragment referred to as context element and string
+  markup, are:

+
+  
    
+    
  1. If the context element's node document is an HTML document: let algorithm be the HTML fragment parsing
+    algorithm.
    2. 
+
+    
  2. If the context element's node document is an XML document: let algorithm be the XML fragment parsing
+    algorithm.
    3. 
+
+    
  3. Let new children be the result of invoking algorithm with
+    markup as the input, and context element as the context element.
    4. 
+
+    
  4. Let fragment be a new DocumentFragment whose node
+    document is context element's node document.
    5. 
+
+    
  5. 
+     
    Append each Node in new
+     children to fragment (in tree order).
    
+
+     
    This ensures the node document for the new nodes is correct.
    
+    
    6. 
+
+    
  6. Return the value of fragment.
    7. 
+  

+
+  
The element.innerHTML and shadowRoot.innerHTML getter
+  steps are to return the result of running fragment serializing algorithm steps with
+  this, and true.

+
+  
The element.innerHTML and shadowRoot.innerHTML setters steps are:

+
+  
    
+    
  1. Let context object be this.
    2. 
+    
  2. Let context element be the context object's host if this is a
+    ShadowRoot object, or this otherwise.
    3. 
+
+    
  3. Let fragment be the result of invoking the fragment parsing algorithm
+    steps with context element, and the given value.
    4. 
+
+    
  4. 
+     
    If context object is a template element, then let context
+     object be the template element's template contents (a
+     DocumentFragment).
    
+
+     
    Setting innerHTML on a
+     template element will replace all the nodes in its template contents
+     (template.contents) rather than its children.
    
+    
    5. 
+
+    
  5. Replace all with fragment within
+    context object.
    6. 
+  

+
+  

+
   
Timers

 
   
The setTimeout() and This can enable cross-site scripting attacks. An example of this would be a page that lets the
    user enter some font family names that are then inserted into a CSS style block via
-   the DOM and which then uses the innerHTML IDL attribute to get
+   the DOM and which then uses the innerHTML IDL attribute to get
    the HTML serialization of that style element: if the user enters
    "</style><script>attack</script>" as a font family name, innerHTML will return markup that, if parsed in a different context,
+   data-x="dom-element-innerHTML">innerHTML will return markup that, if parsed in a different context,
    would contain a script node, even though no script node existed in the
    original DOM.