Docs: Replace `#NUMBER` Trac issue references with `trac-NUMBER`
The GitHub UI treats `#NUMBER` as referring to its own issues which is confusing
when in jQuery source it's usually referring to the old deprecated Trac instance
at https://bugs.jquery.com. This change replaces all such Trac references with
`trac-NUMBER`.
A few of the references came with the Sizzle integration and referred to the
Sizzle GitHub bug tracker. Those have been replaced with full links instead.
A new entry describing issue reference conventions has been added to README.
Richard Gibson [Mon, 3 Jan 2022 12:28:49 +0000 (07:28 -0500)]
CSS: Justify use of rtrim on CSS property values
CSS does not acknowledge carriage return or form feed characters
as whitespace but it does replace them with whitespace, making it
acceptable to use `rtrim`.
TestSwarm is now proxied via Cloudflare which cuts out headers relevant for
ETag tests, failing them. We're still running those tests in Karma on Chrome
& Firefox (including Firefox ESR).
Tests: Allow statusText to be "success" in AJAX tests
In HTTP/2, status message is not supported and whatever is reported as
statusText differs between browsers. In Chrome & Safari it's "success", in
Firefox & IE it's "OK". So far "success" wasn't allowed. This made the tests
pass locally if you're running an HTTP/1.1 server but on TestSwarm which is
now proxied via an HTTP/2-equipped Cloudflare, the relevant test started failing
in Chrome & Safari.
Docs: Update the URL to the latest jQuery build in CONTRIBUTING.md
It used to say https://code.jquery.com/jquery.js but that's a frozen URL
to jQuery 1.11.1. Let's switch that to the URL to the Git build, i.e.
https://releases.jquery.com/git/jquery-git.js.
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.
Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.
Tests: Make Karma browser timeout larger than the QUnit one
Since the default Karma browser no activity timeout was lower than the QUnit
timeout, a single timing out test was interrupting the whole test run of
a browser.
The QUnit timeout is set to 1 minute so I set the Karma one to 2 minutes.
Build: Update ESLint & eslint-plugin-import, fixing the build
Latest `main` started failing the build after some transitive dependencies
got updated, incorrectly recognizing some files with default exports as unused.
Since the new ESLint no longer supports Node 10 which we have to build on due
to use in our CI, skip ESLint in Node 10.
Docs: Remove the CLA checkbox in the pull request template
The EasyCLA status check is required so this won't get missed. The old JSF CLA
is dead, the provided link doesn't return meaningful information. There's no
good replacement link for the old CLA; PR authors are just supposed to sign the
new CLA by clicking on a link posted by the EasyCLA bot when they submit their
first PR since EasyCLA was enabled for the repo.
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.
One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.
No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.
The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.
See https://web.dev/trusted-types/ for more information about TrustedHTML.
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.
We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.
Event: Don't break focus triggering after `.on(focus).off(focus)`
The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:
make subsequent `.trigger( "focus" )` calls to not do any triggering.
The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).
Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.
Tests: Make more tests run natively in Chrome & Firefox
Chrome & Firefox now support complex `:not()` selectors so those test can run
in them even without custom jQuery selector code. In the past, it was only
possible in Safari, now we only need to exclude IE.
Build: Take core-js-bundle from the external directory as well
That package was missed in gh-4865 as it only broke browsers needing the
polyfill which is just IE at the moment. Thus, it broke Core tests in IE only.
In gh-4466, we removed the `external` directory in favor of loading some files
directly from `node_modules`. This works fine locally but when deploying code
for tests, this makes it impossible to not deploy `node_modules` as well. To
avoid the issue, this change restores usage of the `external` directory.
One change is that we no longer commit this directory to the repository, its
only purpose is to have clear isolation from `node_modules`.
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.
After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.
Tests: Fix tests for not auto-executing scripts without dataType
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
"text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
query string parameter
Timmy Willison [Mon, 11 Jan 2021 16:56:08 +0000 (11:56 -0500)]
Dimensions: Add offset prop fallback to FF for unreliable TR dimensions
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Event: Don't crash if an element is removed on blur
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.
Build: Explicitly exclude the queue module from the slim build
The queue module is not present in the slim build as it depends on deferred
and our Gruntfile specifies excluding deferred should also exclude queue:
https://github.com/jquery/jquery/blob/3.5.1/Gruntfile.js#L66
This commit makes this exclusion explicit so that the queue module never
accidentally gets re-included in the slim build if it stopped importing from
the deferred module directly.
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.
Also, clean up some comments & remove some obsolete workarounds.
Tests: Recognize callbacks with dots in the Node.js mock server
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```
Build: Make the import/no-unused-modules ESLint rule work in WebStorm
When run via WebStorm, the root path against which paths in the config of the
`import/no-unused-modules` ESLint rule are resolved is the path where the ESLint
config file that defines the rule lies, i.e. `src`. When run via the command
line, it's usually the root folder of the jQuery repository. This pattern
intends to catch both.
Note that we cannot specify two patterns here:
```js
[ "src/*.js", "*.js" ]
```
as they're analyzed individually and the rule crashes if a pattern cannot be
matched.
Ajax: Make responseJSON work for erroneous same-domain JSONP requests
Don't use a script tag for JSONP requests unless for cross-domain requests
or if scriptAttrs are provided. This makes the `responseJSON` property available
in JSONP error callbacks.
This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made
erroneous script responses to not be executed to follow native behavior.
The 3.x-stable branch doesn't need this fix as it doesn't use script tags for
regular async requests.
Dallas Fraser [Tue, 25 Aug 2020 19:41:06 +0000 (15:41 -0400)]
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.
This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
This also resolves a security warning from GitHub about a vulnerable `request`
version - the new `testswarm` package version depends on a fixed `request`.
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Docs: Update Frequently Reported Issues in the GitHub issue template
The issue about selectors with '#' being broken is old and no longer
frequently reported so this commit removes it from the list. On the other
hand, we're now getting lots of reports about the security fix in jQuery 3.5.0
that was also a breaking change: gh-4642. This one is now mentioned in the
list.
Build:Event: Make sure all source modules' exports are used (#4648)
To achieve that, use `eslint-plugin-import`'s `no-unused-modules` rule.
Also, explicitly import `event/trigger.js` from `jquery.js`; so far it was
only imported from ajax.js, making it mistakenly skipped in the
`custom:slim,-deprecated` build.
Build: Followups after introducing ES modules compiled via Rollup
This commit cleans up a few comments & configurations that are out of date
after the migration to ES modules backed by a Rollup-based compilation.
Also, de-indent AMD modules. This will preserve a more similar
structure to the one on 3.x-stable where the body of the main `define`
wrapper is not indented.
CSS: Include `show`, `hide` & `toggle` methods in the jQuery slim build
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.
To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.
Wonseop Kim [Tue, 5 May 2020 08:49:27 +0000 (17:49 +0900)]
Build: Correct code indentations based on jQuery Style Guide
1. Correct code indentations based on jQuery Style Guide
(contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
indentation", with minimal changes to the current code.
Build: Reduce the slim build header comment & jQuery.fn.jquery
So far, the slim build was expanded to its full exclusion list, generating the
following `jQuery.fn.jquery`:
```
v4.0.0-pre -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
This commit changes it to just `v4.0.0-pre slim`. Only the pure slim build is
treated this way, any modification to it goes through the old expansion; e.g.
for `custom:slim,-deprecated` we get the following `jQuery.fn.jquery`:
```
v4.0.0-pre -deprecated,-deprecated/ajax-event-alias,-deprecated/event,-ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
Since the version string is also put in the jQuery header comment, it also got
smaller.
Also, the logic to skip including the commit hash in the header comment - when
provided through the COMMIT environment variable which we do in Jenkins - in
minified builds headers has been applied to builds with exclusions as well.
Tests: Use only one focusin/out handler per matching window & document
Backport tests from a jQuery 3.x fix that's not needed on `master`.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5aa415367a7dae0b55c2dd17b591442d - the commit that
introduced the regression - to make sure we don't regress on either front.
The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.
Tests: Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
Christian Wenz [Mon, 6 Apr 2020 19:15:55 +0000 (21:15 +0200)]
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
Co-authored-by: Richard Gibson <richard.gibson@gmail.com> Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Travis reports warnings in our config:
* root: deprecated key sudo (The key `sudo` has no effect anymore.)
* root: missing os, using the default linux
* root: key matrix is an alias for jobs, using jobs
Use a dist README fixture kept in the jQuery repository instead of modifying
an existing one. This makes the jQuery repository the single source of truth
when it comes to jQuery releases and it makes it easier to make changes to
README without worrying how it will affect older jQuery lines.
The commit also ES6ifies build/release.js & build/release/dist.js
Build: Enable ESLint one-var rule for var declarations in browser code
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de09a52496f78baebc04f317e11ece6d2
when fixing the trac-12989 bug.
Ajax: Deprecate AJAX event aliases, inline event/alias into deprecated
A new `src/deprecated` directory makes it possible to exclude some deprecated
APIs from a custom build when their respective "parent" module is excluded
without keeping that module outside of the `src/deprecated` directory or
the `src/deprecated.js` file.
The consequence is `.css( "opacity" )` will now return an empty string for
detached elements in standard-compliant browsers and "1" in IE & the legacy
Edge. That behavior is shared by most other CSS properties which we're not
normalizing either.
Core: Exclude callbacks & deferred modules in the slim build as well
So far, the slim build only excluded ajax & effects modules. As many web apps
right now rely on native Promises, often with a polyfill for legacy browsers,
deferred & callbacks modules are not that useful for sites that already exclude
ajax & effects modules.
This decreases the gzipped minified size of the slim module by 1760 bytes,
to 19706 bytes (below 20k!).
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.
This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.
Build: Make dev mode work in Karma again, serve source files from disk
PR gh-4550 added support for running ES modules & AMD tests via Karma. This
required reading the `esmodules` & `amd` props from both `QUnit.config` &
`QUnit.urlParams`. By picking these two properties manually, the `dev` one
stopped being respected while ones handled directly by QUnit were fine (like
`hidepassed`). Instead of maintaining the full list of options, the code now
iterates over QUnit URL config and handles the fallbacks in a more generic way.
Apart from that, all jQuery source & test files are now read directly from disk
instead of being cached by Karma so that one can run `grunt karma:chrome-debug`
& work on a fix without restarting that Karma run after each change. A similar
effect could have been achieved by setting `autoWatch` to `true` but then the
main Karma page runs tests in an iframe by default when
`grunt karma:chrome-debug` is run instead of relying on the current debug flow.
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.