Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
This also resolves a security warning from GitHub about a vulnerable `request`
version - the new `testswarm` package version depends on a fixed `request`.
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Docs: Update Frequently Reported Issues in the GitHub issue template
The issue about selectors with '#' being broken is old and no longer
frequently reported so this commit removes it from the list. On the other
hand, we're now getting lots of reports about the security fix in jQuery 3.5.0
that was also a breaking change: gh-4642. This one is now mentioned in the
list.
Build:Event: Make sure all source modules' exports are used (#4648)
To achieve that, use `eslint-plugin-import`'s `no-unused-modules` rule.
Also, explicitly import `event/trigger.js` from `jquery.js`; so far it was
only imported from ajax.js, making it mistakenly skipped in the
`custom:slim,-deprecated` build.
Build: Followups after introducing ES modules compiled via Rollup
This commit cleans up a few comments & configurations that are out of date
after the migration to ES modules backed by a Rollup-based compilation.
Also, de-indent AMD modules. This will preserve a more similar
structure to the one on 3.x-stable where the body of the main `define`
wrapper is not indented.
CSS: Include `show`, `hide` & `toggle` methods in the jQuery slim build
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.
To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.
Wonseop Kim [Tue, 5 May 2020 08:49:27 +0000 (17:49 +0900)]
Build: Correct code indentations based on jQuery Style Guide
1. Correct code indentations based on jQuery Style Guide
(contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
indentation", with minimal changes to the current code.
Build: Reduce the slim build header comment & jQuery.fn.jquery
So far, the slim build was expanded to its full exclusion list, generating the
following `jQuery.fn.jquery`:
```
v4.0.0-pre -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
This commit changes it to just `v4.0.0-pre slim`. Only the pure slim build is
treated this way, any modification to it goes through the old expansion; e.g.
for `custom:slim,-deprecated` we get the following `jQuery.fn.jquery`:
```
v4.0.0-pre -deprecated,-deprecated/ajax-event-alias,-deprecated/event,-ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
Since the version string is also put in the jQuery header comment, it also got
smaller.
Also, the logic to skip including the commit hash in the header comment - when
provided through the COMMIT environment variable which we do in Jenkins - in
minified builds headers has been applied to builds with exclusions as well.
Tests: Use only one focusin/out handler per matching window & document
Backport tests from a jQuery 3.x fix that's not needed on `master`.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5aa415367a7dae0b55c2dd17b591442d - the commit that
introduced the regression - to make sure we don't regress on either front.
The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.
Tests: Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
Christian Wenz [Mon, 6 Apr 2020 19:15:55 +0000 (21:15 +0200)]
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
Co-authored-by: Richard Gibson <richard.gibson@gmail.com> Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Travis reports warnings in our config:
* root: deprecated key sudo (The key `sudo` has no effect anymore.)
* root: missing os, using the default linux
* root: key matrix is an alias for jobs, using jobs
Use a dist README fixture kept in the jQuery repository instead of modifying
an existing one. This makes the jQuery repository the single source of truth
when it comes to jQuery releases and it makes it easier to make changes to
README without worrying how it will affect older jQuery lines.
The commit also ES6ifies build/release.js & build/release/dist.js
Build: Enable ESLint one-var rule for var declarations in browser code
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de09a52496f78baebc04f317e11ece6d2
when fixing the trac-12989 bug.
Ajax: Deprecate AJAX event aliases, inline event/alias into deprecated
A new `src/deprecated` directory makes it possible to exclude some deprecated
APIs from a custom build when their respective "parent" module is excluded
without keeping that module outside of the `src/deprecated` directory or
the `src/deprecated.js` file.
The consequence is `.css( "opacity" )` will now return an empty string for
detached elements in standard-compliant browsers and "1" in IE & the legacy
Edge. That behavior is shared by most other CSS properties which we're not
normalizing either.
Core: Exclude callbacks & deferred modules in the slim build as well
So far, the slim build only excluded ajax & effects modules. As many web apps
right now rely on native Promises, often with a polyfill for legacy browsers,
deferred & callbacks modules are not that useful for sites that already exclude
ajax & effects modules.
This decreases the gzipped minified size of the slim module by 1760 bytes,
to 19706 bytes (below 20k!).
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.
This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.
Build: Make dev mode work in Karma again, serve source files from disk
PR gh-4550 added support for running ES modules & AMD tests via Karma. This
required reading the `esmodules` & `amd` props from both `QUnit.config` &
`QUnit.urlParams`. By picking these two properties manually, the `dev` one
stopped being respected while ones handled directly by QUnit were fine (like
`hidepassed`). Instead of maintaining the full list of options, the code now
iterates over QUnit URL config and handles the fallbacks in a more generic way.
Apart from that, all jQuery source & test files are now read directly from disk
instead of being cached by Karma so that one can run `grunt karma:chrome-debug`
& work on a fix without restarting that Karma run after each change. A similar
effect could have been achieved by setting `autoWatch` to `true` but then the
main Karma page runs tests in an iframe by default when
`grunt karma:chrome-debug` is run instead of relying on the current debug flow.
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Selector: Remove the "a:enabled" workaround for Chrome <=77
Remove the workaround for a broken `:enabled` pseudo-class on anchor elements
in Chrome <=77. These versions of Chrome considers anchor elements with the
`href` attribute as matching `:enabled`.
jQuery source has been migrated in gh-4541 from AMD to ES modules. To maintain
support for consumers of our AMD modules, this commits adds a task transpiling
the ES modules sources in `src/` to AMD in `amd/`.
A "Load with AMD" checkbox was also restored to the QUnit setup. Note that,
contrary to jQuery 3.x, AMD files need to be generated via `grunt amd` or
`grunt` as sources are not authored in ECMAScript modules. To achieve a similar
no-compile experience during jQuery 4.x testing, use the new "Load as modules"
checkbox which works in all supported browsers except for IE & Edge (the
legacy, EdgeHTML-based one).
Event: Only attach events to objects that accept data - for real
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.
Build: Require extensions for ES6 imports, prevent import cycles
jQuery source is now authored in ECMAScript modules. Native browser support
for them requires full file names including extensions. Rollup works even
if import paths don't specify extensions, though, so one import slipped
through without such an extension, breaking native browser import of
src/jquery.js.
A new ESLint rule using eslint-plugin-import prevents us from regressing
on that front.
Also, eslint-plugin-import's no-cycle rule is used to avoid import cycles.
Selector: Make empty attribute selectors work in IE again
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.
Interestingly, IE 10 & older don't seem to have the issue.
Migrate all source AMD modules to ECMAScript modules. The final bundle
is compiled by a custom build process that uses Rollup under the hood.
Test files themselves are still loaded via RequireJS as that has to work in
IE 11.
Tests can now be run in "Load as modules" mode which replaces the previous
"Load with AMD" option. That option of running tests doesn't work in IE
and Edge as it requires support for dynamic imports.
Some of the changes required by the migration:
* check `typeof` of `noGlobal` instead of using the variable directly
as it's not available when modules are used
* change the nonce module to be an object as ECMASscript module exports
are immutable
* remove some unused exports
* import `./core/parseHTML.js` directly in `jquery.js` so that it's not
being cut out when the `ajax` module is excluded in a custom compilation
Tests: Don't test synchronous XHR on unload in Chrome
Chrome 78 dropped support for synchronous XHR requests inside of
beforeunload, unload, pagehide, and visibilitychange event handlers.
See https://bugs.chromium.org/p/chromium/issues/detail?id=952452
Build: Run tests on Travis on FirefoxHeadless as well
Also, run them on both ChromeHeadless & FirefoxHeadless locally on
`grunt karma:main`.
Plus, so far, the chrome addons were installed for all the jobs, even
the ones that weren't used for browser testing. Changing that makes
those jobs faster.
Selector: Use shallow document comparisons in uniqueSort
IE/Edge sometimes crash when comparing documents between frames using the strict
equality operator (`===` & `!==`). Funnily enough, shallow comparisons
(`==` & `!=`) work without crashing.
The change to shallow comparisons in `src/selector.js` was done in gh-4471 but
relevant changes in `src/selector/uniqueSort.js` were missed. Those changes
have landed in Sizzle in jquery/sizzle#459.
Selector: Add a test for throwing on post-comma invalid selectors
Sizzle's PR jquery/sizzle#456 introduced a test catching not throwing on
badly-escaped identifiers by Firefox 3.6-5. Unfortunately, it was placed just
before a test Opera 10-11 failed, making Opera fail quicker and not adding
a post-comma invalid selector to rbuggyQSA.
The issue was fixed in jquery/sizzle#463. This jQuery commit backports the test
that Sizzle PR added as no workarounds are needed in browsers jQuery supports.
Selector: Make selectors with leading combinators use qSA again
An optimization added in jquery/sizzle#431 skips the temporary IDs for selectors
not using child or descendant combinators. For sibling combinators, though, this
pushes a selector with a leading combinator to qSA directly which crashes and
falls back to a slower Sizzle route.
This commit makes selectors with leading combinators not skip the selector
rewriting. Note that after jquery/jquery#4454 & jquery/sizzle#453, all modern
browsers other than Edge leverage the :scope pseudo-class, avoiding temporary
id attributes.
Build: Require strict mode in Node.js scripts via ESLint
So far, only browser-based JS files were required to be in strict mode (in the
function form). This commit adds such a requirement to Node.js scripts where
the global form is preferred. All Node.js scripts in sloppy mode were
converted to strict mode.
Without this change passing `--dry-run` to jquery-release still pushes to the
jquery-dist repository which is dangerous as one can assume `--dry-run` to be
safe from external side effects.
After recent merging of Sizzle & jQuery AUTHORS.txt, the `grunt authors` task
doesn't provide meaningful as there's no obvious connection between current
AUTHORS.txt contents & the desired one. Adding two new entries should make it
easier (plus, it makes it possible to test jquery-release on current master).
Apart from that, the commit adds a missing .mailmap entry for Shashanka Nataraj.
Sean Robinson [Fri, 26 Apr 2019 14:25:08 +0000 (07:25 -0700)]
Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).
Ahmed.S.ElAfifi [Mon, 19 Aug 2019 08:04:01 +0000 (10:04 +0200)]
Core: Use Array.prototype.flat where supported
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.
Selector: Use shallow document comparisons to avoid IE/Edge crashes
IE/Edge sometimes crash when comparing documents between frames using the strict
equality operator (`===` & `!==`). Funnily enough, shallow comparisons
(`==` & `!=`) work without crashing.
Previously, jQuery.ajaxSettings.xhr, contents were wrapped in a try-catch
as we defined jQuery.support.ajax & jQuery.support.cors executed during the
jQuery load and we didn't want to crash if IE had native XHR disabled (which
is possible). While jQuery hasn't supported the ActiveX-based XHR since 2.0,
jQuery with XHR disabled could still be used for its other features in such
a crippled browser.
Since gh-4347, jQuery.support.ajax & jQuery.support.cors no longer exist, so
we don't need the try-catch anymore.
Selector: Leverage the :scope pseudo-class where possible
The `:scope` pseudo-class[1] has surprisingly good browser support: Chrome,
Firefox & Safari have supported if for a long time; only IE & Edge lack support.
This commit leverages this pseudo-class to get rid of the ID hack in most cases.
Adding a temporary ID may cause layout thrashing which was reported a few times
in [the past.
We can't completely eliminate the ID hack in modern browses as sibling selectors
require us to change context to the parent and then `:scope` stops applying to
what we'd like. But it'd still improve performance in the vast majority of
cases.
A copied comment line was accidentally left out above the line defining
`QUnit.jQuerySelectorsPos`, making the sentence nonsense. This commit removes
that line.
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.
The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.
The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.
The commit reduces the gzipped jQuery size by 1460 bytes compared to master.
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.
This commit requires all function parameters to be used, not just the last one.
In cases where that's not possible as we need to match an external API, there's
an escape hatch of prefixing an unused argument with `_`.
This change makes it easier to catch unused AMD dependencies and unused
parameters in internal functions the API of which we may change at will, among
other things.
Unused AMD dependencies have been removed as part of this commit.
Build: Fix the regex parsing AMD var-modules (#4389)
The previous regex caused the final jQuery binary to have syntax errors for
var-modules with names starting with "return". For example, the following module
wouldn't work when the file is named `returnTrue.js`: