Skip to main content

Bug Tracker

Side navigation

#6429 closed bug (wontfix)

Opened April 13, 2010 08:25AM UTC

Closed November 10, 2010 12:31AM UTC

Selector problem: elements with "<" and ">" with backslash escaping aren't selected

Reported by: mriver Owned by:
Priority: undecided Milestone: 1.4.3
Component: selector Version: 1.4.2
Keywords: selector escape meta character Cc:
Blocked by: Blocking:
Description

According with official API reference, I escaped "<" and ">" characters in jQuery selector block.

As expected "#foo>" and "#<bar" are selected, but "#<buz>" isn't.

Mysteriously, "#>qux<" is selected correctly.

This would be replicated in following code:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en'>
<head>
    <meta http-equiv='Content-Type' content='text/html;charset=UTF-8' />
    <script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.js'></script>
    <title>Selector Escaping</title>
    <script type='text/javascript'>
    //<![CDATA[
        $(function(){
           $('#foo\\\\>').css('background', '#99ff99');       // OK
           $('#\\\\<bar').css('background', '#99ff99');       // OK
           $('#\\\\<buz\\\\>').css('background', '#99ff99');    // NG
           $('#\\\\>qux\\\\<').css('background', '#99ff99');    // OK
        });
    //]]>
    </script>
</head>
<body>    
    <div id='foo>'>#foo></div>
    <div id='<bar'>#<bar</div>
    <div id='<buz>'>#<buz></div>
    <div id='>qux<'>#>qux<</div>
</body>
</html>
Attachments (0)
Change History (1)

Changed November 10, 2010 12:31AM UTC by dmethvin comment:1

priority: → undecided
resolution: → wontfix
status: newclosed

This is due to the documented behavior of the

jQuery()
method.

If a string is passed as the parameter to $(), jQuery examines the string to see if it looks like HTML (i.e., it has <tag ... > somewhere within the string). If not, the string is interpreted as a selector expression, as explained above. -- http://api.jquery.com/jQuery/#jQuery2

This case looks more like an exploit than a legitimate page. ID attributes can't contain either < or > characters.

http://jsfiddle.net/dmethvin/wpkBJ/