🔒️ fix CVE-2011-4969

Author: ctcpip

src/core.js

@@ -20,8 +20,8 @@ var jQuery = window.jQuery = window.$ = function( selector, context ) {
 };
 
 // A simple way to check for HTML strings or ID strings
-// (both of which we optimize for)
-var quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#(\w+)$/,
+// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
 
 // Is it a simple selector
 	isSimple = /^.[^:#\[\.]*$/,
@@ -54,13 +54,13 @@ jQuery.fn = jQuery.prototype = {
 
 				// HANDLE: $("#id")
 				else {
-					var elem = document.getElementById( match[3] );
+					var elem = document.getElementById( match[2] );
 
 					// Make sure an element was located
 					if ( elem ){
 						// Handle the case where IE and Opera return items
 						// by name instead of ID
-						if ( elem.id != match[3] )
+						if ( elem.id != match[2] )
 							return jQuery().find( selector );
 
 						// Otherwise, we inject the element directly into the jQuery object

test/unit/core.js

@@ -226,6 +226,29 @@ test("$('html', context)", function() {
 	equals($span.length, 1, "Verify a span created with a div context works, #1763");
 });
 
+test("XSS via location.hash", function() {
+	expect(1);
+
+	stop();
+	jQuery._check9521 = function(x){
+		ok( x, "script called from #id-like selector with inline handler" );
+		jQuery("#check9521").remove();
+		delete jQuery._check9521;
+	};
+
+	var $eCheck9521 = jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' );
+
+	if($eCheck9521.length) {
+		$eCheck9521.appendTo("#main");
+	}
+	else {
+		jQuery._check9521(true);
+	}
+
+	start();
+
+});
+
 if ( !isLocal ) {
 test("$(selector, xml).text(str) - Loaded via XML document", function() {
 	expect(2);