🔒️ fix CVE-2012-6708

jquery-lts · ctcpip · Feb 12, 2014 · Feb 12, 2014 · Feb 12, 2014 · Dec 20, 2023
commit 8bdec180f21fc746f7e15a73672bd4568ac37c19
diff --git a/src/core.js b/src/core.js
@@ -21,7 +21,8 @@ var jQuery = window.jQuery = window.$ = function( selector, context ) {
 
 // A simple way to check for HTML strings or ID strings
 // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-var quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
+// Strict HTML recognition (#11290: must start with <)
+var quickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
 
 // Is it a simple selector
 	isSimple = /^.[^:#\[\.]*$/,