Skip to content
Permalink
Browse files

Prioritize #id over <tag> to avoid XSS via location.hash (#9521)

  • Loading branch information...
dmethvin committed Aug 23, 2011
1 parent 84f2908 commit 749dbad981f040bd65cbb50c10e9aa6e44bd26ff
Showing with 20 additions and 2 deletions.
  1. +2 −2 src/core.js
  2. +18 −0 test/unit/core.js
@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
rootjQuery,

// A simple way to check for HTML strings or ID strings
// (both of which we optimize for)
quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
@@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() {
document.body.removeChild( iframe );
});

test("XSS via location.hash", function() {
expect(1);

stop();
jQuery._check9521 = function(x){
ok( x, "script called from #id-like selector with inline handler" );
jQuery("#check9521").remove();
delete jQuery._check9521;
start();
};
try {
// This throws an error because it's processed like an id
jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");
} catch (err) {
jQuery._check9521(true);
};
});

if ( !isLocal ) {
test("isXMLDoc - XML", function() {
expect(3);

0 comments on commit 749dbad

Please sign in to comment.
You can’t perform that action at this time.