Build: Fix an XSS in the test server HTML serving logic
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.
The ESLint config for `demos` extends the one for the `ui` directory. However,
the `ui` one used to not be a root one, making the `demos` one effectively not
depend on the `jquery` preset. Fix that and fix lots of lint violations in
`demos/search.js`.
dependabot[bot] [Sun, 6 Oct 2024 22:16:34 +0000 (00:16 +0200)]
Build: Bump the github-actions group with 2 updates
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-node](https://github.com/actions/setup-node).
Updates `actions/checkout` from 4.1.7 to 4.2.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938)
Effect: Remove demos & visual tests of the transfer effect
The transfer effect is deprecated and not present unless `$.uiBackCompat` is set
to `true`. In previous UI versions, the default was including the backwards
compat layer so these demos & tests worked; now they do not by default. Just
remove them.
Dialog: Add option to put the dialog title in a header element
Implement a new option: `uiDialogTitleHeadingLevel`, allowing to change
the `span` wrapping the dialog title into a heading element (`h1`-`h6`).
Value `0` represents the `span`, values 1-6 - a heading at the specified
level.
Tests: Properly check `$.uiBackCompat` in common widget tests
The "common widget" tests, checking if a widget doesn't overwrite some
core widget APIs wasn't running as it was incorrectly checking for
`$.uiBackCompat === false` instead of `$.uiBackCompat !== true` after the
default changed in gh-2250.
Fixing the check uncovered that the draggable & sortable modules do
overwrite the `_trigger` method. Add an exception in the test for that;
at this stage of the project we don't plan to change the implementation.
When the datepicker UI is shown and then destroyed programmatically:
```js
$( "#datepicker" ).datepicker( "destroy" );
```
hide the datepicker UI without the need for an explicit user action.
Previously, in 1.12 the UI would not disappear immediately but only after the
first `mousedown`. In later 1.13 versions, the UI would not disappear at all.
Tests: Update jQuery Migrate from 3.4.1 to 3.5.2, simplify Migrate setup
Apart from updating jQuery Migrate, the setup is now changed so that exact
Migrate versions are only references when fetching npm packages; other than
that, they're represented as `jquery-migrate-1.x` & `jquery-migrate-3.x`. This
will allow smaller changes when updating jQuery Migrate in the future.
Demos: Make autocomplete demos work on jqueryui.com
The `jqueryui.com` demos build process deAMDifies HTML files, replacing required
JS files with direct script tags. On the other hand, when running demos locally
from the jQuery UI repository, RequireJS is used.
This used to work fine until we got a new `search.js` file introduced in
gh-2187. The deAMDifying process doesn't touch non-HTML files which made loading
autocomplete demos crash on "require is not a function"
To resolve the issues without a major rearchitecture of the build process,
the `search.js` file now detects AMD and uses `require`, falling back to relying
on the `jQuery` global in the other case.
Build: Group dependabot PRs updating GitHub Actions
We have monthly automatic dependabot PRs for GitHub Actions. Unfortunately,
as of now we get a separate PR for every dependency which is a bit spammy
compared to regular commits updating source.
Thankfully, there's now a way to tell dependabot to submit a single PR per
a defined group. This change defines a single group to have a single dependabot
PR for all action updates.
The initial 1.14.0 announcement only promised support for the latest version
of jQuery Core within each major. The main goal was to avoid testing on too many
old versions. However, just testing on the latest one seems too drastic. For
now, add `3.6.4` to the mix; we'll work on a more detailed policy soon.
Breaking changes applicable to jQuery UI:
* Use a space when serializing, remove the transparent case ([#88](https://github.com/jquery/jquery-color/issues/88), [aaf03cc](https://github.com/jquery/jquery-color/commit/aaf03ccec3bd8c15733d8e72e214cf63150a2569))
See https://github.com/jquery/jquery-color/releases/tag/3.0.0 for more
information.
All: Stop relying on jquery-patch.js internally, add tests
Avoid relying on jQuery patches. Instead:
* use `CSS.escape` instead of `jQuery.escapeSelector`
* use `.filter()` with a proper handler instead of `.even()`
Keep `jquery-patch.js` for backwards compatibility, though.
Tests: Increase robustness of a draggable `revert` test
One of the changes is increasing `revertDuration` from 200 to 300. For some
reason, when jQuery 3.1 is used in an iframe (which TestSwarm uses) the timings
are lower than expected and `setTimeout` too slow and the check for animation
happens too late.
Tests: Workaround a jQuery 1.8 issue with one dialog test
The test "#8958: dialog can be opened while opening" had special behavior in
jQuery 1.8 and the patch from commit 7adb13ac7c30a7ba33f1db256952be77b9e7a310
broke those assumptions. Adjust the test so that it passes again.
Tests: Workaround IE issues in qunit-assert-domequal
In IE, `option` elements may have different initial `option` colors.
They may initially all be transparent, but later the selected
option gets a blue background with white text; we now ignore it.
The logic of `qunit-assert-domequal` was also fixed to use the same
method of fetching styles in all browsers; IE used to get a legacy
one meant for IE <9 due to a mistake in the performed check.
Tests: Fix selectmenu width tests in Firefox with jQuery 3.0 & 3.1
jQuery 3.0 & 3.1 used `getBoundingClientRect()` in its `width`/`height`
calculations and that causes minor differences in fractional width computations.
Allow a tiny delta in tests to fix those tests breaking in Firefox.
Dialog: Fix IE tests about interactions with other dialogs
The workaround triggering a second delayed focus to a tabbable element was
applied in jQueries 3.4 & 3.5 to fix IE issues. It also needs to be applied
in jQuery 3.6 which this commit adds.
This will no longer be needed in jQuery 3.7 and jQuery 3.x-git tests are
already passing because of that.
Selectmenu: Fix selecting options following hidden ones
Change a2b25ef6caae3e1a272214839b815a6387618124 made options with
the `hidden` attribute skipped when rendering. However, that makes
indexes misaligned with native options as hidden ones maintain their
index values. Instead, don't skip hidden options but add the `hidden`
attribute to the respective jQuery UI elements as well.
Build: Fork vendors to remove QUnit deprecated API usage
Changes:
* add `tests/lib/vendor/**/*` to `.eslintignore`
* move `qunit-composite` to `tests/lib` so that we can modify it
* move `qunit-assert-classes` to `tests/lib` so that we can modify it
* move `qunit-assert-close` to `tests/lib` so that we can modify it
* replace `assert.push` with `assert.pushResult`
* remove usage of `QUnit.extend`
The `set-output` workflow is deprecated in favor of using environment
variables, see:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Also, workaround issues with QUnit Chrome bridge: the Chrome bridge
from `grunt-contrib-qunit` is now getting injected into every single
iframe, including an empty one that has no intention of running QUnit
tests. Since that bridge requires QUnit, it fails with an error
in such cases. Workaround the issue by wrapping the bridge in
another function that bails early if QUnit is not defined.
Self-closing tags are reported by newer versions of the htmllint
Grunt plugin. They also don't make sense in our HTML files
since they are not XHTML-compliant and they run in HTML mode
anyway.
Kenneth DeBacker [Thu, 30 Mar 2023 11:05:41 +0000 (07:05 -0400)]
Tests: Test only valid values for Datepicker defaultDate, min/maxDate
The docs say that valid periods when using string value and
period pairs as relative dates are "y", "m", "w", and "d"
https://api.jqueryui.com/datepicker/