diff options
author | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
commit | 1d4604da252f0e6e19339957ec214388f61b908d (patch) | |
tree | 70f9fcda3737207074200a44e7cf949aebc60c66 /misc/drupal.js | |
parent | b47f95d3013619e33cafdf8b769b2b6179a07956 (diff) | |
download | brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.gz brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.bz2 |
Drupal 7.19
Diffstat (limited to 'misc/drupal.js')
-rw-r--r-- | misc/drupal.js | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/misc/drupal.js b/misc/drupal.js index 83b088428..643baa1bf 100644 --- a/misc/drupal.js +++ b/misc/drupal.js @@ -7,6 +7,27 @@ jQuery.noConflict(); (function ($) { /** + * Override jQuery.fn.init to guard against XSS attacks. + * + * See http://bugs.jquery.com/ticket/9521 + */ +var jquery_init = $.fn.init; +$.fn.init = function (selector, context, rootjQuery) { + // If the string contains a "#" before a "<", treat it as invalid HTML. + if (selector && typeof selector === 'string') { + var hash_position = selector.indexOf('#'); + if (hash_position >= 0) { + var bracket_position = selector.indexOf('<'); + if (bracket_position > hash_position) { + throw 'Syntax error, unrecognized expression: ' + selector; + } + } + } + return jquery_init.call(this, selector, context, rootjQuery); +}; +$.fn.init.prototype = jquery_init.prototype; + +/** * Attach all registered behaviors to a page element. * * Behaviors are event-triggered actions that attach to page elements, enhancing |