🔒️ fix CVE-2012-6708

Author: ctcpip

src/core.js

@@ -21,7 +21,8 @@ var jQuery = window.jQuery = window.$ = function( selector, context ) {
 
 // A simple way to check for HTML strings or ID strings
 // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-var quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+// Strict HTML recognition (#11290: must start with <)
+var quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 // Is it a simple selector
 	isSimple = /^.[^:#\[\.]*$/,