When detecting html in init, ignore html characters within quotes, brackets, and...

diff --git a/src/core.js b/src/core.js
index c0113a190b754cb6dcda138468dac24acd483099..1bf7e56039e73653ce9cc4f413a8c6cd7e810c7f 100644 (file)
--- a/src/core.js
+++ b/src/core.js
@@ -41,7 +41,8 @@ var
 
        // A simple way to check for HTML strings
        // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-       rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/,
+       // Ignore html if within quotes "" '' or brackets/parens [] ()
+       rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
 
        // Match a standalone tag
        rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,

diff --git a/test/unit/core.js b/test/unit/core.js
index 9950228e80838bfee268dfaa93c08e9a0c7fb21a..0b392adf199bbb3cb9652b85649d62ccda9f677b 100644 (file)
--- a/test/unit/core.js
+++ b/test/unit/core.js
@@ -605,7 +605,7 @@ test("isWindow", function() {
 });
 
 test("jQuery('html')", function() {
-       expect(18);
+       expect( 22 );
 
        QUnit.reset();
        jQuery.foo = false;
@@ -638,6 +638,11 @@ test("jQuery('html')", function() {
        ok( jQuery("<div></div>")[0], "Create a div with closing tag." );
        ok( jQuery("<table></table>")[0], "Create a table with closing tag." );
 
+       equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." );
+       equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." );
+       equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." );
+       equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" );
+
        // Test very large html string #7990
        var i;
        var li = "<li>very large html string</li>";