diff options
| author | timmywil <timmywillisn@gmail.com> | 2012-06-20 16:22:36 -0400 |
|---|---|---|
| committer | timmywil <timmywillisn@gmail.com> | 2012-06-21 11:38:31 -0400 |
| commit | 6cdca88eee674e48f9bf0e41fca18f75f32426b7 (patch) | |
| tree | 9cc9b13a4cb04f587882a13ad67bc75ecfa72edf | |
| parent | c20e031058c6210a1ed753f75af80588f076d60d (diff) | |
| download | jquery-6cdca88eee674e48f9bf0e41fca18f75f32426b7.tar.gz jquery-6cdca88eee674e48f9bf0e41fca18f75f32426b7.zip | |
Restore rhtmlString to its original form. 1.9 will come with starts-with html matching. For now, we are warning against broad use of jQuery() to parse html.
| -rw-r--r-- | src/core.js | 3 | ||||
| -rw-r--r-- | test/unit/core.js | 10 |
2 files changed, 6 insertions, 7 deletions
diff --git a/src/core.js b/src/core.js index 1bf7e5603..c0113a190 100644 --- a/src/core.js +++ b/src/core.js @@ -41,8 +41,7 @@ var // A simple way to check for HTML strings // Prioritize #id over <tag> to avoid XSS via location.hash (#9521) - // Ignore html if within quotes "" '' or brackets/parens [] () - rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/, + rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/, // Match a standalone tag rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/, diff --git a/test/unit/core.js b/test/unit/core.js index 0b392adf1..95f26fcbd 100644 --- a/test/unit/core.js +++ b/test/unit/core.js @@ -605,7 +605,7 @@ test("isWindow", function() { }); test("jQuery('html')", function() { - expect( 22 ); + expect( 18 ); QUnit.reset(); jQuery.foo = false; @@ -638,10 +638,10 @@ test("jQuery('html')", function() { ok( jQuery("<div></div>")[0], "Create a div with closing tag." ); ok( jQuery("<table></table>")[0], "Create a table with closing tag." ); - equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." ); - equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." ); - equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." ); - equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" ); + // equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." ); + // equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." ); + // equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." ); + // equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" ); // Test very large html string #7990 var i; |