diff options
| author | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
| commit | 1d4604da252f0e6e19339957ec214388f61b908d (patch) | |
| tree | 70f9fcda3737207074200a44e7cf949aebc60c66 /misc | |
| parent | b47f95d3013619e33cafdf8b769b2b6179a07956 (diff) | |
| download | brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.gz brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.bz2 | |
Drupal 7.19
Diffstat (limited to 'misc')
| -rw-r--r-- | misc/collapse.js | 4 | ||||
| -rw-r--r-- | misc/drupal.js | 21 | ||||
| -rw-r--r-- | misc/vertical-tabs.js | 4 |
3 files changed, 25 insertions, 4 deletions
diff --git a/misc/collapse.js b/misc/collapse.js index bd51ce532..512ff2f9f 100644 --- a/misc/collapse.js +++ b/misc/collapse.js @@ -58,9 +58,9 @@ Drupal.behaviors.collapse = { $('fieldset.collapsible', context).once('collapse', function () { var $fieldset = $(this); // Expand fieldset if there are errors inside, or if it contains an - // element that is targeted by the URI fragment identifier. + // element that is targeted by the URI fragment identifier. var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : ''; - if ($('.error' + anchor, $fieldset).length) { + if ($fieldset.find('.error' + anchor).length) { $fieldset.removeClass('collapsed'); } diff --git a/misc/drupal.js b/misc/drupal.js index 83b088428..643baa1bf 100644 --- a/misc/drupal.js +++ b/misc/drupal.js @@ -7,6 +7,27 @@ jQuery.noConflict(); (function ($) { /** + * Override jQuery.fn.init to guard against XSS attacks. + * + * See http://bugs.jquery.com/ticket/9521 + */ +var jquery_init = $.fn.init; +$.fn.init = function (selector, context, rootjQuery) { + // If the string contains a "#" before a "<", treat it as invalid HTML. + if (selector && typeof selector === 'string') { + var hash_position = selector.indexOf('#'); + if (hash_position >= 0) { + var bracket_position = selector.indexOf('<'); + if (bracket_position > hash_position) { + throw 'Syntax error, unrecognized expression: ' + selector; + } + } + } + return jquery_init.call(this, selector, context, rootjQuery); +}; +$.fn.init.prototype = jquery_init.prototype; + +/** * Attach all registered behaviors to a page element. * * Behaviors are event-triggered actions that attach to page elements, enhancing diff --git a/misc/vertical-tabs.js b/misc/vertical-tabs.js index 14d06607b..ebfaa4f7f 100644 --- a/misc/vertical-tabs.js +++ b/misc/vertical-tabs.js @@ -50,8 +50,8 @@ Drupal.behaviors.verticalTabs = { if (!tab_focus) { // If the current URL has a fragment and one of the tabs contains an // element that matches the URL fragment, activate that tab. - if (window.location.hash && $(window.location.hash, this).length) { - tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane'); + if (window.location.hash && $(this).find(window.location.hash).length) { + tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane'); } else { tab_focus = $('> .vertical-tabs-pane:first', this); |