Prioritize #id over <tag> to avoid XSS via location.hash (#9521)

2026-02-11 12:05:01 -05:00 · 2011-08-23 08:25:11 -04:00
parent 84f29084d6
commit 749dbad981
2 changed files with 20 additions and 2 deletions
--- a/src/core.js
+++ b/src/core.js
@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
 	rootjQuery,

 	// A simple way to check for HTML strings or ID strings
-	// (both of which we optimize for)
-	quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,

 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,