Index: wp-includes/js/jquery/jquery-migrate.js =================================================================== --- wp-includes/js/jquery/jquery-migrate.js (revision 24251) +++ wp-includes/js/jquery/jquery-migrate.js (working copy) @@ -1,5 +1,5 @@ /*! - * jQuery Migrate - v1.1.1 - 2013-02-16 + * jQuery Migrate - v1.2.1 - 2013-05-08 * https://github.com/jquery/jquery-migrate * Copyright 2005, 2013 jQuery Foundation, Inc. and other contributors; Licensed MIT */ @@ -17,8 +17,8 @@ // jQuery.migrateMute = false; // Show a message on the console so devs know we're active -if ( !jQuery.migrateMute && window.console && console.log ) { - console.log("JQMIGRATE: Logging is active"); +if ( !jQuery.migrateMute && window.console && window.console.log ) { + window.console.log("JQMIGRATE: Logging is active"); } // Set to false to disable traces that appear with warnings @@ -33,10 +33,11 @@ }; function migrateWarn( msg) { + var console = window.console; if ( !warnedAbout[ msg ] ) { warnedAbout[ msg ] = true; jQuery.migrateWarnings.push( msg ); - if ( window.console && console.warn && !jQuery.migrateMute ) { + if ( console && console.warn && !jQuery.migrateMute ) { console.warn( "JQMIGRATE: " + msg ); if ( jQuery.migrateTrace && console.trace ) { console.trace(); @@ -189,26 +190,35 @@ var matched, browser, oldInit = jQuery.fn.init, oldParseJSON = jQuery.parseJSON, - // Note this does NOT include the #9521 XSS fix from 1.7! - rquickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*|#([\w\-]*))$/; + // Note: XSS check is done below after string is trimmed + rquickExpr = /^([^<]*)(<[\w\W]+>)([^>]*)$/; // $(html) "looks like html" rule change jQuery.fn.init = function( selector, context, rootjQuery ) { var match; if ( selector && typeof selector === "string" && !jQuery.isPlainObject( context ) && - (match = rquickExpr.exec( selector )) && match[1] ) { + (match = rquickExpr.exec( jQuery.trim( selector ) )) && match[ 0 ] ) { // This is an HTML string according to the "old" rules; is it still? if ( selector.charAt( 0 ) !== "<" ) { migrateWarn("$(html) HTML strings must start with '<' character"); } + if ( match[ 3 ] ) { + migrateWarn("$(html) HTML text after last tag is ignored"); + } + // Consistently reject any HTML-like string starting with a hash (#9521) + // Note that this may break jQuery 1.6.x code that otherwise would work. + if ( match[ 0 ].charAt( 0 ) === "#" ) { + migrateWarn("HTML string cannot start with a '#' character"); + jQuery.error("JQMIGRATE: Invalid selector string (XSS)"); + } // Now process using loose rules; let pre-1.8 play too if ( context && context.context ) { // jQuery object as context; parseHTML expects a DOM object context = context.context; } if ( jQuery.parseHTML ) { - return oldInit.call( this, jQuery.parseHTML( jQuery.trim(selector), context, true ), + return oldInit.call( this, jQuery.parseHTML( match[ 2 ], context, true ), context, rootjQuery ); } } Index: wp-includes/script-loader.php =================================================================== --- wp-includes/script-loader.php (revision 24251) +++ wp-includes/script-loader.php (working copy) @@ -134,7 +134,7 @@ // jQuery $scripts->add( 'jquery', false, array( 'jquery-core', 'jquery-migrate' ) ); $scripts->add( 'jquery-core', '/wp-includes/js/jquery/jquery.js', array(), '1.9.1' ); - $scripts->add( 'jquery-migrate', '/wp-includes/js/jquery/jquery-migrate.js', array(), '1.1.1' ); + $scripts->add( 'jquery-migrate', '/wp-includes/js/jquery/jquery-migrate.js', array(), '1.2.1' ); // full jQuery UI $scripts->add( 'jquery-ui-core', '/wp-includes/js/jquery/ui/jquery.ui.core.min.js', array('jquery'), '1.10.3', 1 );