<script language="JavaScript">
<!--
function _AN_global_var_init(){
	_AN_this_url = "/prx/000/";
	_AN_base_scheme = "https";
	_AN_base_host = "https://patch-diff.githubusercontent.com";
	_AN_base_path = "https://patch-diff.githubusercontent.com/raw/ctcpip/jquery-security-patches/pull/";
	_AN_encode_urls = 0;
	_AN_mpo = 1;
	_AN_md = 0;
	_AN_rel_urls = 0;
	_AN_nav_switch = 0;
	_AN_nav_allowurl = 1;
	_AN_nav_override = 0;
	_AN_has_iframe = 0;
	_AN_dbg_flags = null;
	_AN_nav_use_aaa = 1;
	_AN_expires_pass = 0;
	_AN_wrap_evthandlers = 0;
	_AN_rewrite_param_exact = 0;
	_AN_obj_params = {};
} 
_AN_global_var_init();
//-->
</script>
<script language="JavaScript" src="/prx/001/http/localh/an_util.js"></script>
<script language="JavaScript" src="/prx/001/http/localh/NSLib.js"></script>

diff --git a/.gitmodules b/.gitmodules
index 19c60418e3..2c37e3ae62 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,6 +1,6 @@
 [submodule "src/sizzle"]
 	path = src/sizzle
-	url = git://github.com/jquery/sizzle.git
+	url = https://github.com/jquery/sizzle.git
 [submodule "test/qunit"]
 	path = test/qunit
-	url = git://github.com/jquery/qunit.git
+	url = https://github.com/qunitjs/qunit.git
diff --git a/build/jslint-check.js b/build/jslint-check.js
index 72d6701876..567f99a952 100644
--- a/build/jslint-check.js
+++ b/build/jslint-check.js
@@ -1,5 +1,5 @@
 var JSLINT = require("./lib/jslint").JSLINT,
-	print = require("sys").print,
+	print = console.log,
 	src = require("fs").readFileSync("dist/jquery.js", "utf8");
 
 JSLINT(src, { evil: true, forin: true, maxerr: 100 });
@@ -21,7 +21,7 @@ var e = JSLINT.errors, found = 0, w;
 for ( var i = 0; i < e.length; i++ ) {
 	w = e[i];
 
-	if ( !ok[ w.reason ] ) {
+	if ( w && !ok[ w.reason ] ) {
 		found++;
 		print( "\n" + w.evidence + "\n" );
 		print( "    Problem at line " + w.line + " character " + w.character + ": " + w.reason );
diff --git a/build/post-compile.js b/build/post-compile.js
index 98b8b849fa..aca870c336 100644
--- a/build/post-compile.js
+++ b/build/post-compile.js
@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-var print = require( "sys" ).print,
+var print = console.log,
 	fs = require( "fs" ),
 	src = fs.readFileSync( process.argv[2], "utf8" ),
 	version = fs.readFileSync( "version.txt", "utf8" ),
diff --git a/component.json b/component.json
index a3525b8844..29d893ac65 100755
--- a/component.json
+++ b/component.json
@@ -1,6 +1,6 @@
 {
   "name"        : "jquery",
-  "version"     : "1.6.4",
+  "version"     : "1.6.5-sec",
   "main"        : "./jquery.js",
   "dependencies": {
   }
diff --git a/jquery.js b/jquery.js
old mode 100755
new mode 100644
index 719e1d4ec1..d0e5bfb246
--- a/jquery.js
+++ b/jquery.js
@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v1.6.4
+ * jQuery JavaScript Library v1.6.5-sec
  * http://jquery.com/
  *
  * Copyright 2011, John Resig
@@ -11,7 +11,7 @@
  * Copyright 2011, The Dojo Foundation
  * Released under the MIT, BSD, and GPL Licenses.
  *
- * Date: Mon Sep 12 18:54:48 2011 -0400
+ * Date: Fri Dec 15 14:14:35 2023 -0600
  */
 (function( window, undefined ) {
 
@@ -38,7 +38,8 @@ var jQuery = function( selector, context ) {
 
 	// A simple way to check for HTML strings or ID strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Strict HTML recognition (#11290: must start with <)
+	quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
@@ -213,7 +214,7 @@ jQuery.fn = jQuery.prototype = {
 	selector: "",
 
 	// The current version of jQuery being used
-	jquery: "1.6.4",
+	jquery: "1.6.5-sec",
 
 	// The default length of a jQuery object is 0
 	length: 0,
@@ -357,8 +358,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
@@ -1401,6 +1403,12 @@ jQuery.support = (function() {
 		}
 	}
 
+	// Support: IE <=9 only
+	// IE <=9 replaces <option> tags with their contents when inserted outside of
+	// the select element.
+	div.innerHTML = "<option></option>";
+	support.option = !!div.lastChild;
+
 	// Null connected elements to avoid leaks in IE
 	testElement = fragment = select = opt = body = marginDiv = div = input = null;
 
@@ -5529,7 +5537,6 @@ function winnow( elements, qualifier, keep ) {
 
 var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
 	rleadingWhitespace = /^\s+/,
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
 	rtagName = /<([\w:]+)/,
 	rtbody = /<tbody rhtml="/<|&#?\w+;/," @ -5539,7 +5546,6 @ var rinlinejQuery="/" jQuery\d="(?:\d+|null)" rscriptType="/\/(java|ecma)script/i," rcleanScript="/^\s*<!(?:\[CDATA\[|\-\-)/," wrapMap="{" - option [ 1 /><select multiple="multiple">", "</select>" ],
 		legend: [ 1, "<fieldset>", "</fieldset>" ],
 		thead: [ 1, "<table>", "</table>" ],
 		tr: [ 2, "<table><tbody>", "</tbody></table>" ],
@@ -5549,10 +5555,14 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
 		_default: [ 0, "", "" ]
 	};
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <=9 only
+if ( !jQuery.support.option ) {
+	wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple="multiple">", "</select>" ];
+}
+
 // IE can't serialize <link> and <script>
</script> tags normally
 if ( !jQuery.support.htmlSerialize ) {
 	wrapMap._default = [ 1, "div<div>", "</div>" ];
@@ -5732,8 +5742,6 @@ jQuery.fn.extend({
 			(jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value )) &&
 			!wrapMap[ (rtagName.exec( value ) || ["", ""])[1].toLowerCase() ] ) {
 
-			value = value.replace(rxhtmlTag, "<$1></$2>");
-
 			try {
 				for ( var i = 0, l = this.length; i < l; i++ ) {
 					// Remove element nodes and prevent memory leaks
@@ -6144,8 +6152,6 @@ jQuery.extend({
 				if ( !rhtml.test( elem ) ) {
 					elem = context.createTextNode( elem );
 				} else {
-					// Fix "XHTML"-style tags in all browsers
-					elem = elem.replace(rxhtmlTag, "<$1></$2>");
 
 					// Trim whitespace, otherwise indexOf won't work as expected
 					var tag = (rtagName.exec( elem ) || ["", ""])[1].toLowerCase(),
@@ -6688,7 +6694,7 @@ var r20 = /%20/g,
 	rnoContent = /^(?:GET|HEAD)$/,
 	rprotocol = /^\/\//,
 	rquery = /\?/,
-	rscript = /<script\b[^><]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+	rscript = /<script\b[^><]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi,
 	rselectTextarea = /^(?:select|textarea)/i,
 	rspacesAjax = /\s+/,
 	rts = /([?&])_=[^&]*/,
@@ -7756,6 +7762,13 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
 
 
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {
@@ -9043,4 +9056,4 @@ jQuery.each([ "Height", "Width" ], function( i, name ) {
 
 // Expose jQuery to the global object
 window.jQuery = window.$ = jQuery;
-})(window);
\ No newline at end of file
+})(window);
diff --git a/src/ajax.js b/src/ajax.js
index 623e9fe719..027d074f11 100644
--- a/src/ajax.js
+++ b/src/ajax.js
@@ -11,7 +11,7 @@ var r20 = /%20/g,
 	rnoContent = /^(?:GET|HEAD)$/,
 	rprotocol = /^\/\//,
 	rquery = /\?/,
-	rscript = /<script\b[^><]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+	rscript = /<script\b[^><]*(?:(?!<\/script>)<[^<]*)*< *\/ *script *>?/gi,
 	rselectTextarea = /^(?:select|textarea)/i,
 	rspacesAjax = /\s+/,
 	rts = /([?&])_=[^&]*/,
diff --git a/src/ajax/script.js b/src/ajax/script.js
index f7a9180107..254c4ce613 100644
--- a/src/ajax/script.js
+++ b/src/ajax/script.js
@@ -1,5 +1,12 @@
 (function( jQuery ) {
 
+// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
+jQuery.ajaxPrefilter( function( s ) {
+	if ( s.crossDomain ) {
+			s.contents.script = false;
+	}
+} );
+
 // Install script dataType
 jQuery.ajaxSetup({
 	accepts: {
diff --git a/src/core.js b/src/core.js
index 18cf102355..bb811028f8 100644
--- a/src/core.js
+++ b/src/core.js
@@ -17,7 +17,8 @@ var jQuery = function( selector, context ) {
 
 	// A simple way to check for HTML strings or ID strings
 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+	// Strict HTML recognition (#11290: must start with <)
+	quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 	// Check if a string has a non-whitespace character in it
 	rnotwhite = /\S/,
@@ -336,8 +337,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
diff --git a/src/manipulation.js b/src/manipulation.js
index 2f41feb9a8..5dc9c7a4a9 100644
--- a/src/manipulation.js
+++ b/src/manipulation.js
@@ -2,7 +2,6 @@
 
 var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
 	rleadingWhitespace = /^\s+/,
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
 	rtagName = /<([\w:]+)/,
 	rtbody = /<tbody rhtml="/<|&#?\w+;/," @ -12,7 +11,6 @ var rinlinejQuery="/" jQuery\d="(?:\d+|null)" rscriptType="/\/(java|ecma)script/i," rcleanScript="/^\s*<!(?:\[CDATA\[|\-\-)/," wrapMap="{" - option [ 1 /><select multiple="multiple">", "</select>" ],
 		legend: [ 1, "<fieldset>", "</fieldset>" ],
 		thead: [ 1, "<table>", "</table>" ],
 		tr: [ 2, "<table><tbody>", "</tbody></table>" ],
@@ -22,10 +20,14 @@ var rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
 		_default: [ 0, "", "" ]
 	};
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <=9 only
+if ( !jQuery.support.option ) {
+	wrapMap.optgroup = wrapMap.option = [ 1, "<select multiple="multiple">", "</select>" ];
+}
+
 // IE can't serialize <link> and <script>
</script> tags normally
 if ( !jQuery.support.htmlSerialize ) {
 	wrapMap._default = [ 1, "div<div>", "</div>" ];
@@ -205,8 +207,6 @@ jQuery.fn.extend({
 			(jQuery.support.leadingWhitespace || !rleadingWhitespace.test( value )) &&
 			!wrapMap[ (rtagName.exec( value ) || ["", ""])[1].toLowerCase() ] ) {
 
-			value = value.replace(rxhtmlTag, "<$1></$2>");
-
 			try {
 				for ( var i = 0, l = this.length; i < l; i++ ) {
 					// Remove element nodes and prevent memory leaks
@@ -617,8 +617,6 @@ jQuery.extend({
 				if ( !rhtml.test( elem ) ) {
 					elem = context.createTextNode( elem );
 				} else {
-					// Fix "XHTML"-style tags in all browsers
-					elem = elem.replace(rxhtmlTag, "<$1></$2>");
 
 					// Trim whitespace, otherwise indexOf won't work as expected
 					var tag = (rtagName.exec( elem ) || ["", ""])[1].toLowerCase(),
diff --git a/src/support.js b/src/support.js
index 6608d91254..1d0b02a017 100644
--- a/src/support.js
+++ b/src/support.js
@@ -246,6 +246,12 @@ jQuery.support = (function() {
 		}
 	}
 
+	// Support: IE <=9 only
+	// IE <=9 replaces <option> tags with their contents when inserted outside of
+	// the select element.
+	div.innerHTML = "<option></option>";
+	support.option = !!div.lastChild;
+
 	// Null connected elements to avoid leaks in IE
 	testElement = fragment = select = opt = body = marginDiv = div = input = null;
 
diff --git a/test/unit/ajax.js b/test/unit/ajax.js
index f871da723e..7e2ca9c173 100644
--- a/test/unit/ajax.js
+++ b/test/unit/ajax.js
@@ -70,6 +70,70 @@ test("jQuery.ajax() - success callbacks - (url, options) syntax", function() {
 	}, 13);
 });
 
+test( "jQuery.ajax() - do not execute js (crossOrigin) 1", 2, function() {
+
+	jQuery.ajaxSetup({ timeout: 0 });
+
+	stop();
+
+	setTimeout(function(){
+		jQuery.ajax({
+			url: url( "data/script.php?header=ecma" ),
+			crossDomain: true,
+			success: function() {
+				ok( true, "success" );
+			},
+			complete: function() {
+				ok( true, "complete" );
+				start();
+			}
+		});
+	}, 13);
+} );
+
+test( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3, function() {
+
+	jQuery.ajaxSetup({ timeout: 0 });
+
+	stop();
+
+	setTimeout(function(){
+		jQuery.ajax({
+			url: url( "data/script.php?header=ecma" ),
+			crossDomain: true,
+			dataType: "script",
+			success: function() {
+				ok( true, "success" );
+			},
+			complete: function() {
+				ok( true, "complete" );
+				start();
+			}
+		});
+	}, 13);
+} );
+
+test( "jQuery.ajax() - do not execute js (crossOrigin) 2", 2, function() {
+
+	jQuery.ajaxSetup({ timeout: 0 });
+
+	stop();
+
+	setTimeout(function(){
+		jQuery.ajax({
+			url: url( "data/script.php" ),
+			crossDomain: true,
+			success: function() {
+				ok( true, "success" );
+			},
+			complete: function() {
+				ok( true, "complete" );
+				start();
+			}
+		});
+	}, 13);
+} );
+
 test("jQuery.ajax() - success callbacks (late binding)", function() {
 	expect( 8 );
 
diff --git a/test/unit/core.js b/test/unit/core.js
index fdf0ceb5ef..be7b3808bd 100644
--- a/test/unit/core.js
+++ b/test/unit/core.js
@@ -12,7 +12,7 @@ test("Basic requirements", function() {
 });
 
 test("jQuery()", function() {
-	expect(29);
+	expect(25);
 
 	// Basic constructor's behavior
 
@@ -56,7 +56,7 @@ test("jQuery()", function() {
 	var img = jQuery("<img />");
 	equals( img.length, 1, "Correct number of elements generated for img" );
 	equals( img.parent().length, 0, "Make sure that the generated HTML has no parent." );
-	var div = jQuery("<div /><hr /><code /><b />");
+	var div = jQuery("<div></div><hr><code></code><b></b>");
 	equals( div.length, 4, "Correct number of elements generated for div hr code b" );
 	equals( div.parent().length, 0, "Make sure that the generated HTML has no parent." );
 
@@ -97,16 +97,11 @@ test("jQuery()", function() {
 	// manually clean up detached elements
 	elem.remove();
 
-	equals( jQuery(" <div /> ").length, 1, "Make sure whitespace is trimmed." );
-	equals( jQuery(" a<div />b ").length, 1, "Make sure whitespace and other characters are trimmed." );
-
 	var long = "";
 	for ( var i = 0; i < 128; i++ ) {
 		long += "12345678";
 	}
 
-	equals( jQuery(" <div>" + long + "</div> ").length, 1, "Make sure whitespace is trimmed on long strings." );
-	equals( jQuery(" a<div>" + long + "</div>b ").length, 1, "Make sure whitespace and other characters are trimmed on long strings." );
 });
 
 test("selector state", function() {
@@ -580,6 +575,36 @@ test("jQuery('html', context)", function() {
 	equals($span.length, 1, "Verify a span created with a div context works, #1763");
 });
 
+test("XSS via location.hash", function() {
+	expect(1);
+
+	stop();
+	jQuery._check9521 = function(x){
+		ok( x, "script called from #id-like selector with inline handler" );
+		jQuery("#check9521").remove();
+		delete jQuery._check9521;
+	};
+
+	var $eCheck9521 = jQuery( '#<img id="check9521" src="no-such-.gif,_ANDesc=img," onerror="jQuery._check9521(false ); " ) + + if($eCheck9521.length { + $eCheck9521.appendTo #main ) + } + else { + jQuery._check9521(true + } + + start + + + +test jQuery.extend true . ) Object.prototype pollution , function assert ) { + expect 1 ) + + jQuery.extend true { JSON.parse { __proto : { devMode : true ) ) + ok ! devMode in { ) Object.prototype not polluted ) + ) + if ( !isLocal ) { test jQuery(selector xml).text(str - Loaded via XML document , function { expect(2 @ -859,6 +884,13 @ test jQuery.extend(Object Object , function { same options2 options2Copy Check if not modified options2 must not be modified ) } +QUnit.test jQuery.extend true . ) Object.prototype pollution , function assert ) { + expect 1 ) + + jQuery.extend true { JSON.parse { __proto : { devMode : true ) ) + ok ! devMode in { ) Object.prototype not polluted ) + ) + test jQuery.each(Object,Function , function { expect(14 jQuery.each [0,1,2 function(i n diff --git a/test/unit/css.js b/test/unit/css.js index acad497ebe..0441f9fe59 100644 - a/test/unit/css.js + b/test/unit/css.js @ -23,7 +23,7 @ test css(String|Hash , function { equals div.css width ) 4px , Width on disconnected node ) equals div.css height ) 4px , Height on disconnected node ) - var div2="jQuery("><div style="display:none;"><input type="text" style="height:20px;" /><textarea style="height:20px;" /><div style='height:20px;'></div></div>").appendTo("body");
+	var div2 = jQuery( "<div style='display:none;'><input type='text' style='height:20px;'/><textarea style='height:20px;'></textarea><div style="height:20px;"></div></div>").appendTo("body");
 
 	equals( div2.find("input").css("height"), "20px", "Height on hidden input." );
 	equals( div2.find("textarea").css("height"), "20px", "Height on hidden textarea." );
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index 4017cf196e..f2e1f55189 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -1129,7 +1129,7 @@ var testHtml = function(valueObj) {
 	}
 	ok( pass, "Set HTML" );
 
-	div = jQuery("<div />").html( valueObj("<div id="parent_1"><div id="child_1" /></div><div id="parent_2" />") );
+	div = jQuery("<div>").html( valueObj("<div id="parent_1"><div id="child_1"></div></div><div id="parent_2"></div>") );
 
 	equals( div.children().length, 2, "Make sure two child nodes exist." );
 	equals( div.children().children().length, 1, "Make sure that a grandchild exists." );
diff --git a/version.txt b/version.txt
index 6463e95e86..6791815070 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.6.4
\ No newline at end of file
+1.6.5-sec
