diff options
| author | Dave Methvin <dave.methvin@gmail.com> | 2011-08-23 08:25:11 -0400 |
|---|---|---|
| committer | Dave Methvin <dave.methvin@gmail.com> | 2011-08-23 08:25:11 -0400 |
| commit | 749dbad981f040bd65cbb50c10e9aa6e44bd26ff (patch) | |
| tree | 9c22cd63ed60e6006c61dd61ce3188499b538036 /src/core.js | |
| parent | 84f29084d6ac8077ce5dcb4dd94d43aaeed18fb0 (diff) | |
| download | jquery-749dbad981f040bd65cbb50c10e9aa6e44bd26ff.tar.gz jquery-749dbad981f040bd65cbb50c10e9aa6e44bd26ff.zip | |
Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
Diffstat (limited to 'src/core.js')
| -rw-r--r-- | src/core.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core.js b/src/core.js index 694f884d6..0b99b74a2 100644 --- a/src/core.js +++ b/src/core.js @@ -16,8 +16,8 @@ var jQuery = function( selector, context ) { rootjQuery, // A simple way to check for HTML strings or ID strings - // (both of which we optimize for) - quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, + // Prioritize #id over <tag> to avoid XSS via location.hash (#9521) + quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, // Check if a string has a non-whitespace character in it rnotwhite = /\S/, |