Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Adjust jQuery('html') detection to only match when html starts with '…

…<' (not counting space characters). Fixes #11290.
  • Loading branch information...
commit 05531fc4080ae24070930d15ae0cea7ae056457d 1 parent 452e327
@timmywil timmywil authored
View
3  src/core.js
@@ -49,7 +49,8 @@ var
// A simple way to check for HTML strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
- rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*|#([\w-]*))$/,
+ // Strict HTML recognition (#11290: must start with <)
+ rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
// Match a standalone tag
rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/,
2  src/sizzle
@@ -1 +1 @@
-Subproject commit 20ad5f811e22bf8528d8c33f0e7966fdb461c55a
+Subproject commit 8c6ed151bdfd03b8a8ec3707963caada8e73d041
View
12 test/unit/core.js
@@ -27,7 +27,7 @@ test("jQuery()", function() {
div = jQuery("<div/><hr/><code/><b/>"),
exec = false,
lng = "",
- expected = 26,
+ expected = 22,
attrObj = {
"click": function() { ok( exec, "Click executed." ); },
"text": "test",
@@ -139,15 +139,9 @@ test("jQuery()", function() {
// manually clean up detached elements
elem.remove();
- equal( jQuery(" <div/> ").length, 1, "Make sure whitespace is trimmed." );
- equal( jQuery(" a<div/>b ").length, 1, "Make sure whitespace and other characters are trimmed." );
-
for ( i = 0; i < 128; i++ ) {
lng += "12345678";
}
-
- equal( jQuery(" <div>" + lng + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
- equal( jQuery(" a<div>" + lng + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
});
test( "selector state", function() {
@@ -1206,7 +1200,7 @@ test("jQuery.proxy", function(){
});
test("jQuery.parseHTML", function() {
- expect( 12 );
+ expect( 13 );
var html, nodes;
@@ -1231,6 +1225,8 @@ test("jQuery.parseHTML", function() {
equal( jQuery.parseHTML("text")[0].nodeType, 3, "Parsing text returns a text node" );
equal( jQuery.parseHTML( "\t<div></div>" )[0].nodeValue, "\t", "Preserve leading whitespace" );
+
+ equal( jQuery.parseHTML(" <div/> ")[0].nodeType, 3, "Leading spaces are treated as text nodes (#11290)" );
});
test("jQuery.parseJSON", function(){
View
14 test/unit/selector.js
@@ -17,7 +17,7 @@ test("element - jQuery only", function() {
ok( jQuery("#length").length, "<input name=\"length\"> cannot be found under IE, see #945" );
ok( jQuery("#lengthtest input").length, "<input name=\"length\"> cannot be found under IE, see #945" );
- //#7533
+ // #7533
equal( jQuery("<div id=\"A'B~C.D[E]\"><p>foo</p></div>").find("p").length, 1, "Find where context root is a node and has an ID with CSS3 meta characters" );
});
@@ -77,6 +77,18 @@ test("disconnected nodes", function() {
equal( $div.is("div"), true, "Make sure .is('nodeName') works on disconnect nodes." );
});
+test("jQuery only - broken", 1, function() {
+ raises(function() {
+ // Setting context to null here somehow avoids QUnit's window.error handling
+ // making the e & e.message correct
+ // For whatever reason, without this,
+ // Sizzle.error will be called but no error will be seen in oldIE
+ jQuery.call( null, " <div/> " );
+ }, function( e ) {
+ return e.message.indexOf("Syntax error") >= 0;
+ }, "leading space invalid: $(' <div/> ')" );
+});
+
testIframe("selector/html5_selector", "attributes - jQuery.attr", function( jQuery, window, document ) {
expect( 35 );
View
2  test/unit/traversing.js
@@ -114,7 +114,7 @@ test("is() with positional selectors", function() {
"<p id='posp'><a class='firsta' href='#'><em>first</em></a><a class='seconda' href='#'><b>test</b></a><em></em></p>"
).appendTo( "body" ),
isit = function(sel, match, expect) {
- equal( jQuery( sel ).is( match ), expect, "jQuery( " + sel + " ).is( " + match + " )" );
+ equal( jQuery( sel ).is( match ), expect, "jQuery('" + sel + "').is('" + match + "')" );
};
isit( "#posp", "#posp:first", true );
Please sign in to comment.
Something went wrong with that request. Please try again.