Import fix for http://bugs.jquery.com/ticket/9521

author: Renato Botelho <garga@FreeBSD.org> 2014-09-09 11:53:56 -0300
committer: Renato Botelho <garga@FreeBSD.org> 2014-09-09 11:54:36 -0300
commit: 3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed (patch)
tree: d9d9ae6e4d95248e2d7ed9b3417c098f7a6b5b49 /usr/local/www/javascript
parent: 76fa9adb236ba342311190a044f0439aab9425d7 (diff)
download: pfsense-3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed.zip
pfsense-3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/javascript/jquery.js b/usr/local/www/javascript/jquery.js
index e375a10..859a7b2 100644
--- a/usr/local/www/javascript/jquery.js
+++ b/usr/local/www/javascript/jquery.js
@@ -37,8 +37,8 @@ var jQuery = function( selector, context ) {
 	rootjQuery,
 
 	// A simple way to check for HTML strings or ID strings
-	// (both of which we optimize for)
-	quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
author	Renato Botelho <garga@FreeBSD.org>	2014-09-09 11:53:56 -0300
committer	Renato Botelho <garga@FreeBSD.org>	2014-09-09 11:54:36 -0300
commit	3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed (patch)
tree	d9d9ae6e4d95248e2d7ed9b3417c098f7a6b5b49 /usr/local/www/javascript
parent	76fa9adb236ba342311190a044f0439aab9425d7 (diff)
download	pfsense-3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed.zip pfsense-3b0bc8c34e2d9d5c5bb11819228c6cfd186444ed.tar.gz