diff options
Diffstat (limited to 'misc/drupal.js')
| -rw-r--r-- | misc/drupal.js | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/misc/drupal.js b/misc/drupal.js index 83b088428..643baa1bf 100644 --- a/misc/drupal.js +++ b/misc/drupal.js @@ -7,6 +7,27 @@ jQuery.noConflict(); (function ($) { /** + * Override jQuery.fn.init to guard against XSS attacks. + * + * See http://bugs.jquery.com/ticket/9521 + */ +var jquery_init = $.fn.init; +$.fn.init = function (selector, context, rootjQuery) { + // If the string contains a "#" before a "<", treat it as invalid HTML. + if (selector && typeof selector === 'string') { + var hash_position = selector.indexOf('#'); + if (hash_position >= 0) { + var bracket_position = selector.indexOf('<'); + if (bracket_position > hash_position) { + throw 'Syntax error, unrecognized expression: ' + selector; + } + } + } + return jquery_init.call(this, selector, context, rootjQuery); +}; +$.fn.init.prototype = jquery_init.prototype; + +/** * Attach all registered behaviors to a page element. * * Behaviors are event-triggered actions that attach to page elements, enhancing |