From 749dbad981f040bd65cbb50c10e9aa6e44bd26ff Mon Sep 17 00:00:00 2001
From: Dave Methvin <dave.methvin@gmail.com>
Date: Tue, 23 Aug 2011 08:25:11 -0400
Subject: [PATCH] Prioritize #id over <tag> to avoid XSS via location.hash
 (#9521)

---
 src/core.js       |  4 ++--
 test/unit/core.js | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/core.js b/src/core.js
index 694f884d6..0b99b74a2 100644
--- a/src/core.js
+++ b/src/core.js
@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
 	rootjQuery,
 
 	// A simple way to check for HTML strings or ID strings
-	// (both of which we optimize for)
-	quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
diff --git a/test/unit/core.js b/test/unit/core.js
index d47920501..40ee80f6a 100644
--- a/test/unit/core.js
+++ b/test/unit/core.js
@@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() {
 	document.body.removeChild( iframe );
 });
 
+test("XSS via location.hash", function() {
+	expect(1);
+	
+	stop();
+	jQuery._check9521 = function(x){
+		ok( x, "script called from #id-like selector with inline handler" );
+		jQuery("#check9521").remove();
+		delete jQuery._check9521;
+		start();
+	};
+	try {
+		// This throws an error because it's processed like an id
+		jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");
+	} catch (err) {
+		jQuery._check9521(true);
+	};
+});
+
 if ( !isLocal ) {
 test("isXMLDoc - XML", function() {
 	expect(3);
-- 
2.39.5