Merge branch '1.5.3-sec' into 1.6.5-sec

Author: ctcpip

src/ajax.js

@@ -11,7 +11,7 @@ var r20 = /%20/g,
 	rnoContent = /^(?:GET|HEAD)$/,
 	rprotocol = /^\/\//,
 	rquery = /\?/,
-	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi,
+	rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
 	rselectTextarea = /^(?:select|textarea)/i,
 	rspacesAjax = /\s+/,
 	rts = /([?&])_=[^&]*/,

test/unit/core.js

@@ -575,6 +575,36 @@ test("jQuery('html', context)", function() {
 	equals($span.length, 1, "Verify a span created with a div context works, #1763");
 });
 
+test("XSS via location.hash", function() {
+	expect(1);
+
+	stop();
+	jQuery._check9521 = function(x){
+		ok( x, "script called from #id-like selector with inline handler" );
+		jQuery("#check9521").remove();
+		delete jQuery._check9521;
+	};
+
+	var $eCheck9521 = jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)"' );
+
+	if($eCheck9521.length) {
+		$eCheck9521.appendTo("#main");
+	}
+	else {
+		jQuery._check9521(true);
+	}
+
+	start();
+
+});
+
+test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
+	expect( 1 );
+
+	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
+	ok( !( "devMode" in {} ), "Object.prototype not polluted" );
+} );
+
 if ( !isLocal ) {
 test("jQuery(selector, xml).text(str) - Loaded via XML document", function() {
 	expect(2);

version.txt

@@ -1 +1 @@
-1.6.5-sec
+1.6.5-sec