trimRight = /\s+$/,
// A simple way to check for HTML strings
- // If starts-with '<'
- rhtmlString = /^\s*(<[\w\W]+>)[^>]*$/,
+ // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+ // Ignore html if within quotes "" '' or brackets/parens [] ()
+ rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
// Match a standalone tag
rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,
div = jQuery("<div/><hr/><code/><b/>"),
exec = false,
long = "",
- expected = 24,
+ expected = 26,
attrObj = {
click: function() { ok( exec, "Click executed." ); },
text: "test",
elem.remove();
equal( jQuery(" <div/> ").length, 1, "Make sure whitespace is trimmed." );
+ equal( jQuery(" a<div/>b ").length, 1, "Make sure whitespace and other characters are trimmed." );
for ( i = 0; i < 128; i++ ) {
long += "12345678";
}
equal( jQuery(" <div>" + long + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
+ equal( jQuery(" a<div>" + long + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
});
test("selector state", function() {