When detecting html in init, ignore html characters within quotes, brackets, and parens as well as escaped characters which are valid in selectors. Fixes #11290.

2026-02-07 03:14:58 -05:00 · 2012-06-19 11:35:45 -04:00
parent 868a9cea08
commit 7692ae419d
2 changed files with 8 additions and 2 deletions
--- a/src/core.js
+++ b/src/core.js
@@ -41,7 +41,8 @@ var

 	// A simple way to check for HTML strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	rhtmlString = /^(?:[^#<]*(<[\w\W]+>)[^>]*$)/,
+	// Ignore html if within quotes "" '' or brackets/parens [] ()
+	rhtmlString = /^(?:[^#<\\]*(<[\w\W]+>)(?![^\[]*\])(?![^\(]*\))(?![^']*')(?![^"]*")[^>]*$)/,

 	// Match a standalone tag
 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,