library-mirrors/jquery
1
0
Fork 0
mirror of https://github.com/jquery/jquery.git synced 2025-01-10 18:24:24 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Restore rhtmlString to its original form. 1.9 will come with starts-with html matching. For now, we are warning against broad use of jQuery() to parse html.

Browse Source
This commit is contained in:
timmywil 2012-06-20 16:22:36 -04:00
parent c20e031058
commit 6cdca88eee
2 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/core.js
View File

@ -41,8 +41,7 @@ var
// A simple way to check for HTML strings // A simple way to check for HTML strings
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521) // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
// Ignore html if within quotes "" '' or brackets/parens [] () rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/,
rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
// Match a standalone tag // Match a standalone tag
rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/, rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,

10
test/unit/core.js
View File

@ -605,7 +605,7 @@ test("isWindow", function() {
}); });
test("jQuery('html')", function() { test("jQuery('html')", function() {
expect( 22 ); expect( 18 );
QUnit.reset(); QUnit.reset();
jQuery.foo = false; jQuery.foo = false;
@ -638,10 +638,10 @@ test("jQuery('html')", function() {
ok( jQuery("<div></div>")[0], "Create a div with closing tag." ); ok( jQuery("<div></div>")[0], "Create a div with closing tag." );
ok( jQuery("<table></table>")[0], "Create a table with closing tag." ); ok( jQuery("<table></table>")[0], "Create a table with closing tag." );
equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." ); // equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." );
equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." ); // equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." );
equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." ); // equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." );
equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" ); // equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" );
// Test very large html string #7990 // Test very large html string #7990
var i; var i;