Don't cache non-html strings in buildFragment to avoid possible colli…

…sion with the names of Object methods like toString. Also makes the unit tests 0.5% to 8% faster. Fixes #6779.

src/manipulation.js

@@ -440,12 +440,12 @@ jQuery.buildFragment = function( args, nodes, scripts ) {
 	var fragment, cacheable, cacheresults,
 		doc = (nodes && nodes[0] ? nodes[0].ownerDocument || nodes[0] : document);
 
-	// Only cache "small" (1/2 KB) strings that are associated with the main document
+	// Only cache "small" (1/2 KB) HTML strings that are associated with the main document
 	// Cloning options loses the selected state, so don't cache them
 	// IE 6 doesn't like it when you put <object> or <embed> elements in a fragment
 	// Also, WebKit does not clone 'checked' attributes on cloneNode, so don't cache
 	if ( args.length === 1 && typeof args[0] === "string" && args[0].length < 512 && doc === document &&
-		!rnocache.test( args[0] ) && (jQuery.support.checkClone || !rchecked.test( args[0] )) ) {
+		args[0].charAt(0) === "<" && !rnocache.test( args[0] ) && (jQuery.support.checkClone || !rchecked.test( args[0] )) ) {
 
 		cacheable = true;
 		cacheresults = jQuery.fragments[ args[0] ];

test/unit/manipulation.js

@@ -1247,3 +1247,20 @@ test("jQuery.cleanData", function() {
 		return div;
 	}
 });
+
+test("jQuery.buildFragment - no plain-text caching (Bug #6779)", function() {
+	expect(1);
+
+	// DOM manipulation fails if added text matches an Object method
+	var $f = jQuery( "<div />" ).appendTo( "#main" ),
+		bad = [ "start-", "toString", "hasOwnProperty", "append", "here&there!", "-end" ];
+
+	for ( var i=0; i < bad.length; i++ ) {
+		try {
+			$f.append( bad[i] );
+		}
+		catch(e) {}
+	}
+    equals($f.text(), bad.join(''), "Cached strings that match Object properties");
+	$f.remove();
+});