Bug Tracker

Opened 8 years ago

Closed 7 years ago

#6429 closed bug (wontfix)

Selector problem: elements with "<" and ">" with backslash escaping aren't selected

Reported by: mriver Owned by:
Priority: undecided Milestone: 1.4.3
Component: selector Version: 1.4.2
Keywords: selector escape meta character Cc:
Blocked by: Blocking:

Description

According with official API reference, I escaped "<" and ">" characters in jQuery selector block. As expected "#foo>" and "#<bar" are selected, but "#<buz>" isn't. Mysteriously, "#>qux<" is selected correctly.

This would be replicated in following code:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en'>
<head>
    <meta http-equiv='Content-Type' content='text/html;charset=UTF-8' />
    <script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.js'></script>
    <title>Selector Escaping</title>
    <script type='text/javascript'>
    //<![CDATA[
        $(function(){
           $('#foo\\>').css('background', '#99ff99');       // OK
           $('#\\<bar').css('background', '#99ff99');       // OK
           $('#\\<buz\\>').css('background', '#99ff99');    // NG
           $('#\\>qux\\<').css('background', '#99ff99');    // OK
        });
    //]]>
    </script>
</head>
<body>    
    <div id='foo&gt;'>#foo&gt;</div>
    <div id='&lt;bar'>#&lt;bar</div>
    <div id='&lt;buz&gt;'>#&lt;buz&gt;</div>
    <div id='&gt;qux&lt;'>#&gt;qux&lt;</div>
</body>
</html>

Change History (1)

comment:1 Changed 7 years ago by dmethvin

Priority: undecided
Resolution: wontfix
Status: newclosed

This is due to the documented behavior of the jQuery() method.

If a string is passed as the parameter to $(), jQuery examines the string to see if it looks like HTML (i.e., it has <tag ... > somewhere within the string). If not, the string is interpreted as a selector expression, as explained above. -- http://api.jquery.com/jQuery/#jQuery2

This case looks more like an exploit than a legitimate page. ID attributes can't contain either < or > characters.

http://jsfiddle.net/dmethvin/wpkBJ/

Note: See TracTickets for help on using tickets.