From 749dbad981f040bd65cbb50c10e9aa6e44bd26ff Mon Sep 17 00:00:00 2001 From: Dave Methvin Date: Tue, 23 Aug 2011 08:25:11 -0400 Subject: [PATCH] Prioritize #id over to avoid XSS via location.hash (#9521) --- src/core.js | 4 ++-- test/unit/core.js | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/core.js b/src/core.js index 694f884d6..0b99b74a2 100644 --- a/src/core.js +++ b/src/core.js @@ -16,8 +16,8 @@ var jQuery = function( selector, context ) { rootjQuery, // A simple way to check for HTML strings or ID strings - // (both of which we optimize for) - quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, + // Prioritize #id over to avoid XSS via location.hash (#9521) + quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, // Check if a string has a non-whitespace character in it rnotwhite = /\S/, diff --git a/test/unit/core.js b/test/unit/core.js index d47920501..40ee80f6a 100644 --- a/test/unit/core.js +++ b/test/unit/core.js @@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() { document.body.removeChild( iframe ); }); +test("XSS via location.hash", function() { + expect(1); + + stop(); + jQuery._check9521 = function(x){ + ok( x, "script called from #id-like selector with inline handler" ); + jQuery("#check9521").remove(); + delete jQuery._check9521; + start(); + }; + try { + // This throws an error because it's processed like an id + jQuery( '#' ).appendTo("#qunit-fixture"); + } catch (err) { + jQuery._check9521(true); + }; +}); + if ( !isLocal ) { test("isXMLDoc - XML", function() { expect(3);