Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.
Tests: Fix tests for not auto-executing scripts without dataType
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
"text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
query string parameter
Timmy Willison [Mon, 11 Jan 2021 16:56:38 +0000 (11:56 -0500)]
Dimensions: Modify reliableTrDimensions support test to account for FF
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties
Tests: Skip the jQuery.parseXML error reporting test in Legacy Edge
Legacy Edge, similarly to IE, doesn't report XML parsing errors but just tries
to render the invalid document. Skip the error reporting test there, Edge Legacy
will return a generic "Invalid XML" error, just like IE.
Tests: Fix the jQuery.parseXML error reporting test
Changes:
* Remove incorrect `QUnit.testUnlessIE` usage as that util is only available
on `master`, not here.
* Change `firstCall.lastArg` to `firstCall.args[ 0 ]` as the former API is not
available in older Sinon versions.
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Event: Don't crash if an element is removed on blur
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.
Tests: Recognize callbacks with dots in the Node.js mock server
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```
Dallas Fraser [Tue, 25 Aug 2020 19:41:06 +0000 (15:41 -0400)]
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.
This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.
The way warning against number values in `.css()` setters was done in
jquery/jquery-migrate#337 and later refined in jquery/jquery-migrate#348
there's no need to send px-ed strings for `top` & `left` as they already
don't get the "px" suffix.
Wonseop Kim [Tue, 5 May 2020 08:49:27 +0000 (17:49 +0900)]
Build: Correct code indentations based on jQuery Style Guide
1. Correct code indentations based on jQuery Style Guide
(contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
indentation", with minimal changes to the current code.
Tests: Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
The change in gh-4603 made the object returned by `elem.data()`
a prototype-less object. That's a desired change to support keys
colliding with `Object.prototype` properties but it's also a breaking
change so it has to wait for jQuery 4.0.0.
A 3.x-only test was added to avoid breaking it in the future on this
branch.
Sean Robinson [Fri, 26 Apr 2019 14:25:08 +0000 (07:25 -0700)]
Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).
Christian Wenz [Mon, 6 Apr 2020 19:15:55 +0000 (21:15 +0200)]
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
The main part of the test was checking that focusin handling in an iframe works
and that's still checked. The test was also checking that it doesn't propagate
to the parent document, though, and, apparently, in IE it does. This one test
is now blacklisted in IE.
Event: Use only one focusin/out handler per matching window & document
The `doc` variable in:
https://github.com/jquery/jquery/blob/3.4.1/src/event/focusin.js#L30
matched `document` for `document` & `window` for `window`, creating two
separate wrapper event handlers & calling handlers twice if at least one
`focusout` or `focusin` handler was attached on *both* `window` & `document`,
or on `window` & another regular node.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5aa415367a7dae0b55c2dd17b591442d - the commit that
introduced the regression - to make sure we don't regress on either front.
Travis reports warnings in our config:
* root: deprecated key sudo (The key `sudo` has no effect anymore.)
* root: missing os, using the default linux
* root: key matrix is an alias for jobs, using jobs
Use a dist README fixture kept in the jQuery repository instead of modifying
an existing one. This makes the jQuery repository the single source of truth
when it comes to jQuery releases and it makes it easier to make changes to
README without worrying how it will affect older jQuery lines.
The commit also ES6ifies build/release.js & build/release/dist.js
Build: Enable ESLint one-var rule for var declarations in browser code
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Core:Ajax: Align nonce & global with master, fix an AMD issue
This commit aligns the `3.x-stable` branch with `master` in two aspects:
1. It migrates the nonce module to return an object instead of a primitive
variable. This had to be changed on `master` as in ES modules you export
live read-only bindings to variables, meaning you can't increment the nonce
directly. Also, the way it was done so far was working differently in AMD & the
single built file - in the built file one nonce variable was declared, accessed
and incremented. In AMD mode separate instances were create for each module
that depend on the nonce module, creating unintended nonce clashes.
2. Whether the `noGlobal` parameter was set to `true` is now checked using the
typeof operator to align with `master`.
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
Build:Tests: Fix custom build tests, verify on Travis; name Travis jobs
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The 4.0 (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Apart from that, add intuitive names to Travis jobs. Otherwise it's hard to see
at a glance that a particular job is running on Firefox ESR, for example.
Ajax: Deprecate AJAX event aliases, inline event/alias into deprecated
A new `src/deprecated` directory makes it possible to exclude some deprecated
APIs from a custom build when their respective "parent" module is excluded
without keeping that module outside of the `src/deprecated` directory or
the `src/deprecated.js` file.
Tests: Make the support tests pass on Firefox 4x/5x/60
The check for old Firefox versions with different support test result only
checked for Firefox 52 or 60. It now checks for 4x/5x/60 to understand more
versions.
Event: Only attach events to objects that accept data - for real
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.
Tests: Don't test synchronous XHR on unload in Chrome
Chrome 78 dropped support for synchronous XHR requests inside of
beforeunload, unload, pagehide, and visibilitychange event handlers.
See https://bugs.chromium.org/p/chromium/issues/detail?id=952452
Build: Run tests on Travis on FirefoxHeadless as well
Also, run them on both ChromeHeadless & FirefoxHeadless locally on
`grunt karma:main`.
Plus, so far, the chrome addons were installed for all the jobs, even
the ones that weren't used for browser testing. Changing that makes
those jobs faster.
Dave Methvin [Mon, 21 Oct 2019 16:53:24 +0000 (12:53 -0400)]
Offset: Send px-ed strings to .css()
An upcoming release of Migrate will generate warnings for calls to .css() that pass numbers rather than strings, see jquery/jquery-migrate#296 . At the moment, core's .offset() setter passes numbers rather than px strings so it would throw warnings. This commit fixes that.
Build: Require strict mode in Node.js scripts via ESLint
So far, only browser-based JS files were required to be in strict mode (in the
function form). This commit adds such a requirement to Node.js scripts where
the global form is preferred. All Node.js scripts in sloppy mode were
converted to strict mode.
Without this change passing `--dry-run` to jquery-release still pushes to the
jquery-dist repository which is dangerous as one can assume `--dry-run` to be
safe from external side effects.
This commit requires all function parameters to be used, not just the last one.
In cases where that's not possible as we need to match an external API, there's
an escape hatch of prefixing an unused argument with `_`.
This change makes it easier to catch unused AMD dependencies and unused
parameters in internal functions the API of which we may change at will, among
other things.
Unused AMD dependencies have been removed as part of this commit.
Build: Fix the regex parsing AMD var-modules (#4389)
The previous regex caused the final jQuery binary to have syntax errors for
var-modules with names starting with "return". For example, the following module
wouldn't work when the file is named `returnTrue.js`:
Wonseop Kim [Wed, 1 May 2019 12:57:55 +0000 (21:57 +0900)]
Effect: Fix a unnecessary conditional statement in .stop()
Because of the above conditional, the 'type' variable has a value of type
'string' or undefined. Therefore, boolean comparisons for 'type' variable
is always unnecessary because it return true. The patch removed the
unnecessary conditional statement.
Ahmed.S.ElAfifi [Mon, 19 Aug 2019 08:04:01 +0000 (10:04 +0200)]
Core: Use Array.prototype.flat where supported
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.
Tests: Move Android user agent detection above iOS, put Safari last
Android was catching the generic iOS regex. Checking for Android first should
eliminate that issue as iOS user agents don't contain the word "Android".
Putting Safari last makes Android UAs not be tested against it.
Tests: Make support tests accept Safari 13 & newer
The regexes detecting browsers with their versions have been updated for iOS
and Safari so that all iOS >=11 & all Safari (desktop) >= 11 are recognized.
This is required to make Safari 13 & iOS 13 pass support tests but it'll also
make tests forward-compatible with future Safari/iOS versions.
Traversing: Fix `contents()` on `<object>`s with children in IE
The original fix didn't account for the fact that in IE `<object>` elements
with no `data` attribute have an object `contentDocument`. The fix leverages
the fact that this special object has a null prototype.