From dea243f2ebe5d4a6df84a6c948d8d09da78a4ded Mon Sep 17 00:00:00 2001
From: Miguel Fonseca <miguelcsf@gmail.com>
Date: Tue, 17 Feb 2015 17:52:36 +0000
Subject: [PATCH] Sanitize location.hash before passing it to getElementById

There is no actual vulnerability in the existing implementation, as we
can only fetch existing elements (no DOM injection is possible). Plus,
the only call occurring on those elements is `HTMLElement#focus`.

Consider this an extra, more future-proof precaution.
---
 js/skip-link-focus-fix.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/js/skip-link-focus-fix.js b/js/skip-link-focus-fix.js
index 15813491..aa431284 100644
--- a/js/skip-link-focus-fix.js
+++ b/js/skip-link-focus-fix.js
@@ -5,7 +5,14 @@
 
 	if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) {
 		window.addEventListener( 'hashchange', function() {
-			var element = document.getElementById( location.hash.substring( 1 ) );
+			var id = location.hash.substring( 1 ),
+				element;
+
+			if ( ! /^[A-z0-9_-]+$/.test( id ) ) {
+				return;
+			}
+
+			element = document.getElementById( id );
 
 			if ( element ) {
 				if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) {