diff options
| author | timmywil <timmywillisn@gmail.com> | 2012-06-20 16:19:06 -0400 |
|---|---|---|
| committer | timmywil <timmywillisn@gmail.com> | 2012-06-21 11:38:31 -0400 |
| commit | c20e031058c6210a1ed753f75af80588f076d60d (patch) | |
| tree | f4db91d701dcd2d23147294aa5374846adb12962 /src/core.js | |
| parent | bc9945a6a466e3431260615c2e663ca8848095e7 (diff) | |
| download | jquery-c20e031058c6210a1ed753f75af80588f076d60d.tar.gz jquery-c20e031058c6210a1ed753f75af80588f076d60d.zip | |
Revert "Adjust jQuery('html') detection to only match when html starts with '<' (counting space characters). Fixes #11290"
This reverts commit 239fc86b01d52fd9df6d1963027ed37b4f6251fc.
The consensus is that this would change behavior too abruptly. We will warn in 1.8 and do this in 1.9.
Diffstat (limited to 'src/core.js')
| -rw-r--r-- | src/core.js | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/core.js b/src/core.js index 14a653916..1bf7e5603 100644 --- a/src/core.js +++ b/src/core.js @@ -40,8 +40,9 @@ var trimRight = /\s+$/, // A simple way to check for HTML strings - // If starts-with '<' - rhtmlString = /^\s*(<[\w\W]+>)[^>]*$/, + // Prioritize #id over <tag> to avoid XSS via location.hash (#9521) + // Ignore html if within quotes "" '' or brackets/parens [] () + rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/, // Match a standalone tag rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/, |