Opened August 10, 2012 08:09PM UTC
Closed October 26, 2012 01:12PM UTC
Line 59 of polluted.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
polluted.php exists solely to be used by the test suite.
While I would love to agree with you, user behavior dictates otherwise. It isn't clear to me they are knowingly putting themselves at risk with regards to XSS and this public exploit. http://www.google.com/search?q=inurl:polluted.php should give you a few examples where we see unexpected test suite deployment behavior.
Okay, do you have a proposed fix?
Validate and sanitize the input / output.
I was kind of hoping for a pull request... :)
Honestly, cloudsrise, we could use a pull request here if you're interested.
This was fixed in https://github.com/jquery/jquery/commit/b62e5522910766a8fb9f1cf29e069360ae75a902 which incorrectly references #12554