When detecting html in init, ignore html characters within quotes, br…

…ackets, and parens as well as escaped characters which are valid in selectors. Fixes #11290.
jquery · Jun 19, 2012 · 7692ae4 · 7692ae4 · gibson042 · Jun 19, 2012
1 parent 868a9ce
commit 7692ae4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/core.js b/src/core.js
@@ -41,7 +41,8 @@ var
 
 	// A simple way to check for HTML strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/,
+	// Ignore html if within quotes "" '' or brackets/parens [] ()
+	rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
 
 	// Match a standalone tag
 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,

diff --git a/test/unit/core.js b/test/unit/core.js
@@ -605,7 +605,7 @@ test("isWindow", function() {
 });
 
 test("jQuery('html')", function() {
-	expect(18);
+	expect( 22 );
 
 	QUnit.reset();
 	jQuery.foo = false;
@@ -638,6 +638,11 @@ test("jQuery('html')", function() {
 	ok( jQuery("<div></div>")[0], "Create a div with closing tag." );
 	ok( jQuery("<table></table>")[0], "Create a table with closing tag." );
 
+	equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." );
+	equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." );
+	equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." );
+	equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" );
+
 	// Test very large html string #7990
 	var i;
 	var li = "<li>very large html string</li>";