Skip to content
Permalink
Browse files

Prioritize #id over <tag> to avoid XSS via location.hash (#9521)

  • Loading branch information...
dmethvin committed Aug 23, 2011
1 parent 84f2908 commit 749dbad981f040bd65cbb50c10e9aa6e44bd26ff
Showing with 20 additions and 2 deletions.
  1. +2 −2 src/core.js
  2. +18 −0 test/unit/core.js
@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
rootjQuery,

// A simple way to check for HTML strings or ID strings
// (both of which we optimize for)
quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
@@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() {
document.body.removeChild( iframe );
});

test("XSS via location.hash", function() {
expect(1);

stop();
jQuery._check9521 = function(x){
ok( x, "script called from #id-like selector with inline handler" );
jQuery("#check9521").remove();
delete jQuery._check9521;
start();
};
try {
// This throws an error because it's processed like an id
jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");
} catch (err) {
jQuery._check9521(true);
};
});

if ( !isLocal ) {
test("isXMLDoc - XML", function() {
expect(3);

0 comments on commit 749dbad

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.