From 6cdca88eee674e48f9bf0e41fca18f75f32426b7 Mon Sep 17 00:00:00 2001
From: timmywil <timmywillisn@gmail.com>
Date: Wed, 20 Jun 2012 16:22:36 -0400
Subject: Restore rhtmlString to its original form. 1.9 will come with
 starts-with html matching. For now, we are warning against broad use of
 jQuery() to parse html.

---
 src/core.js       |  3 +--
 test/unit/core.js | 10 +++++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/core.js b/src/core.js
index 1bf7e5603..c0113a190 100644
--- a/src/core.js
+++ b/src/core.js
@@ -41,8 +41,7 @@ var
 
 	// A simple way to check for HTML strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	// Ignore html if within quotes "" '' or brackets/parens [] ()
-	rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,
+	rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/,
 
 	// Match a standalone tag
 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,
diff --git a/test/unit/core.js b/test/unit/core.js
index 0b392adf1..95f26fcbd 100644
--- a/test/unit/core.js
+++ b/test/unit/core.js
@@ -605,7 +605,7 @@ test("isWindow", function() {
 });
 
 test("jQuery('html')", function() {
-	expect( 22 );
+	expect( 18 );
 
 	QUnit.reset();
 	jQuery.foo = false;
@@ -638,10 +638,10 @@ test("jQuery('html')", function() {
 	ok( jQuery("<div></div>")[0], "Create a div with closing tag." );
 	ok( jQuery("<table></table>")[0], "Create a table with closing tag." );
 
-	equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." );
-	equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." );
-	equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." );
-	equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" );
+	// equal( jQuery("element[attribute='<div></div>']").length, 0, "When html is within brackets, do not recognize as html." );
+	// equal( jQuery("element[attribute=<div></div>]").length, 0, "When html is within brackets, do not recognize as html." );
+	// equal( jQuery("element:not(<div></div>)").length, 0, "When html is within parens, do not recognize as html." );
+	// equal( jQuery("\\<div\\>").length, 0, "Ignore escaped html characters" );
 
 	// Test very large html string #7990
 	var i;
-- 
cgit v1.2.3

alue='swistak'>swistak</option>
<option value='work'>work</option>
</select> <input type='submit' value='switch'/></form></td></tr>
<tr><td class='sub'>Mirror of redmine code source: https://github.com/redmine/redmine</td><td class='sub right'>www-data</td></tr></table>
<table class='tabs'><tr><td>
<a href='/redmine.git/'>summary</a><a href='/redmine.git/refs/?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>refs</a><a href='/redmine.git/log/app/views/projects/new.html.erb'>log</a><a class='active' href='/redmine.git/tree/app/views/projects/new.html.erb?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>tree</a><a href='/redmine.git/commit/app/views/projects/new.html.erb?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>commit</a><a href='/redmine.git/diff/app/views/projects/new.html.erb?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>diff</a><a href='/redmine.git/stats/app/views/projects/new.html.erb'>stats</a></td><td class='form'><form class='right' method='get' action='/redmine.git/log/app/views/projects/new.html.erb'>
<input type='hidden' name='id' value='7183530e7a10ceb2111b3fa850a0a54e5182fe1e'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/redmine.git/tree/?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>root</a>/<a href='/redmine.git/tree/app?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>app</a>/<a href='/redmine.git/tree/app/views?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>views</a>/<a href='/redmine.git/tree/app/views/projects?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>projects</a>/<a href='/redmine.git/tree/app/views/projects/new.html.erb?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>new.html.erb</a></div><div class='content'>blob: a10cf15a9ae89a55fcc185a80bc6a2d7e7aeebbe (<a href='/redmine.git/plain/app/views/projects/new.html.erb?id=7183530e7a10ceb2111b3fa850a0a54e5182fe1e'>plain</a>)
<table summary='blob content' class='blob'>
<tr><td class='linenumbers'><pre><a id='n1' href='#n1'>1</a>
<a id='n2' href='#n2'>2</a>
<a id='n3' href='#n3'>3</a>
<a id='n4' href='#n4'>4</a>
<a id='n5' href='#n5'>5</a>
<a id='n6' href='#n6'>6</a>
<a id='n7' href='#n7'>7</a>
<a id='n8' href='#n8'>8</a>
</pre></td>
<td class='lines'><pre><code><style>pre { line-height: 125%; }
td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */</style><div class="highlight"><pre><span></span>&lt;h2&gt;&lt;%=l(:label_project_new)%&gt;&lt;/h2&gt;

&lt;% labelled_tabular_form_for :project, @project, :url =&gt; { :action =&gt; &quot;create&quot; } do |f| %&gt;
&lt;%= render :partial =&gt; &#39;form&#39;, :locals =&gt; { :f =&gt; f } %&gt;
&lt;%= submit_tag l(:button_create) %&gt;
&lt;%= submit_tag l(:button_create_and_continue), :name =&gt; &#39;continue&#39; %&gt;
&lt;%= javascript_tag &quot;Form.Element.focus(&#39;project_name&#39;);&quot; %&gt;
&lt;% end %&gt;
</pre></div>