library-mirrors/jquery
1
0
Fork 0
mirror of https://github.com/jquery/jquery.git synced 2025-01-10 18:24:24 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #474 from dmethvin/fix-9521-xss-hash

Browse Source 
Fixes #9521. Prioritize #id over <tag> to avoid XSS via location.hash.
This commit is contained in:
Dave Methvin 2011-08-25 12:16:46 -07:00
commit db9e023e62
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/core.js
View File

@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
rootjQuery, rootjQuery,
// A simple way to check for HTML strings or ID strings // A simple way to check for HTML strings or ID strings
// (both of which we optimize for) // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Check if a string has a non-whitespace character in it // Check if a string has a non-whitespace character in it
rnotwhite = /\S/, rnotwhite = /\S/,

18
test/unit/core.js
View File

@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() {
document.body.removeChild( iframe ); document.body.removeChild( iframe );
}); });
test("XSS via location.hash", function() {
expect(1);
stop();
jQuery._check9521 = function(x){
ok( x, "script called from #id-like selector with inline handler" );
jQuery("#check9521").remove();
delete jQuery._check9521;
start();
};
try {
// This throws an error because it's processed like an id
jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");
} catch (err) {
jQuery._check9521(true);
};
});
if ( !isLocal ) { if ( !isLocal ) {
test("isXMLDoc - XML", function() { test("isXMLDoc - XML", function() {
expect(3); expect(3);