getSelectorFromElement return null on bad selectors (#27912)

js/src/util.js

@@ -82,7 +82,11 @@ const Util = {
       selector = hrefAttr && hrefAttr !== '#' ? hrefAttr.trim() : ''
     }
 
-    return selector && document.querySelector(selector) ? selector : null
+    try {
+      return document.querySelector(selector) ? selector : null
+    } catch (err) {
+      return null
+    }
   },
 
   getTransitionDurationFromElement(element) {

js/tests/unit/modal.js

@@ -619,22 +619,20 @@ $(function () {
     assert.expect(1)
     var done = assert.async()
 
-    try {
     var $toggleBtn = $('<button data-toggle="modal" data-target="&lt;div id=&quot;modal-test&quot;&gt;&lt;div class=&quot;contents&quot;&lt;div&lt;div id=&quot;close&quot; data-dismiss=&quot;modal&quot;/&gt;&lt;/div&gt;&lt;/div&gt;"/>')
       .appendTo('#qunit-fixture')
 
     $toggleBtn.trigger('click')
-    } catch (e) {
+    setTimeout(function () {
       assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document')
       done()
-    }
+    }, 0)
   })
 
   QUnit.test('should not execute js from target', function (assert) {
     assert.expect(0)
     var done = assert.async()
 
-    try {
     // This toggle button contains XSS payload in its data-target
     // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
     //       a script element works in manual tests though, so here it is likely blocked by the qunit framework
@@ -650,9 +648,8 @@ $(function () {
       .appendTo('#qunit-fixture')
 
     $toggleBtn.trigger('click')
-    } catch (e) {
+
-      done()
+    setTimeout(done, 500)
-    }
   })
 
   QUnit.test('should not try to open a modal which is already visible', function (assert) {

js/tests/unit/util.js

@@ -20,17 +20,16 @@ $(function () {
     assert.strictEqual(Util.getSelectorFromElement($el2[0]), null)
   })
 
-  QUnit.test('Util.getSelectorFromElement should throw error when there is a bad selector', function (assert) {
+  QUnit.test('Util.getSelectorFromElement should return null when there is a bad selector', function (assert) {
     assert.expect(2)
 
     var $el = $('<div data-target="#1"></div>').appendTo($('#qunit-fixture'))
 
-    try {
+    assert.strictEqual(Util.getSelectorFromElement($el[0]), null)
-      assert.ok(true, 'trying to use a bad selector')
+
-      Util.getSelectorFromElement($el[0])
+    var $el2 = $('<a href="/posts"></a>').appendTo($('#qunit-fixture'))
-    } catch (e) {
+
-      assert.ok(e instanceof DOMException)
+    assert.strictEqual(Util.getSelectorFromElement($el2[0]), null)
-    }
   })
 
   QUnit.test('Util.typeCheckConfig should thrown an error when a bad config is passed', function (assert) {