aboutsummaryrefslogtreecommitdiffstats
path: root/test/unit/manipulation.js
Commit message (Collapse)AuthorAgeFilesLines
* Tests: migrate testing infrastructure to minimal dependenciesTimmy Willison2024-02-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a complete rework of our testing infrastructure. The main goal is to modernize and drop deprecated or undermaintained dependencies (specifically, grunt, karma, and testswarm). We've achieved that by limiting our dependency list to ones that are unlikely to drop support any time soon. The new dependency list includes: - `qunit` (our trusty unit testing library) - `selenium-webdriver` (for spinning up local browsers) - `express` (for starting a test server and adding middleware) - express middleware includes uses of `body-parser` and `raw-body` - `yargs` (for constructing a CLI with pretty help text) - BrowserStack (for running each of our QUnit modules separately in all of our supported browsers) - `browserstack-local` (for opening a local tunnel. This is the same package still currently used in the new Browserstack SDK) - We are not using any other BrowserStack library. The newest BrowserStack SDK does not fit our needs (and isn't open source). Existing libraries, such as `node-browserstack` or `browserstack-runner`, either do not quite fit our needs, are under-maintained and out-of-date, or are not robust enough to meet all of our requirements. We instead call the [BrowserStack REST API](https://github.com/browserstack/api) directly. ## BrowserStack Runner - automatically retries individual modules in case of test failure(s) - automatically attempts to re-establish broken tunnels - automatically refreshes the page in case a test run has stalled - runs all browsers concurrently and uses as many sessions as are available under the BrowserStack plan. It will wait for available sessions if there are none. - supports filtering the available list of browsers by browser name, browser version, device, OS, and OS version (see `npm run test:unit -- --list-browsers` for more info). It will retrieve the latest matching browser available if any of those parameters are not specified. - cleans up after itself (closes the local tunnel, stops the test server, etc.) - Requires `BROWSERSTACK_USERNAME` and `BROWSERSTACK_ACCESS_KEY` environment variables. ## Selenium Runner - supports running any local browser as long as the driver is installed, including support for headless mode in Chrome, FF, and Edge - supports running `basic` tests on the latest [jsdom](https://github.com/jsdom/jsdom#readme), which can be seen in action in this PR (see `test:browserless`) - Node tests will run as before in PRs and all non-dependabot branches, but now includes tests on real Safari in a GH actions macos image instead of playwright-webkit. - can run multiple browsers and multiple modules concurrently Other notes: - Stale dependencies have been removed and all remaining dependencies have been upgraded with a few exceptions: - `sinon`: stopped supporting IE in version 10. But, `sinon` has been updated to 9.x. - `husky`: latest does not support Node 10 and runs on `npm install`. Needed for now until git builds are migrated to GitHub Actions. - `rollup`: latest does not support Node 10. Needed for now until git builds are migrated to GitHub Actions. - BrowserStack tests are set to run on each `main` branch commit - `debug` mode leaves Selenium browsers open whether they pass or fail and leaves browsers with test failures open on BrowserStack. The latter is to avoid leaving open too many sessions. - This PR includes a workflow to dispatch BrowserStack runs on-demand - The Node version used for most workflow tests has been upgraded to 20.x - updated supportjQuery to 3.7.1 Run `npm run test:unit -- --help` for CLI documentation Close gh-5418
* Manipulation: Generalize a test to support IERichard Gibson2024-01-131-3/+17
| | | | Ref gh-5378 Closes gh-5391
* Manipulation: Support $el.html(selfRemovingScript) (#5378)Richard Gibson2024-01-081-0/+15
| | | | | | | | Don't try to remove a script element that has already removed itself. Also, compress `DOMEval.js`. Fixes gh-5377 Closes gh-5378
* Build: migrate most grunt tasks off of gruntTimmy Willison2023-09-181-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | Updated tasks include: - lint - npmcopy - build, minify, and process for distribution. - new custom build command using yargs - compare size of minified/gzip built files - pretest scripts, including qunit-fixture, babel transpilation, and npmcopy - node smoke tests - promises aplus tests - new watch task using `rollup.watch` directly Also: - upgraded husky and added the new lint command - updated lint config to use new "flat" config format. See https://eslint.org/docs/latest/use/configure/configuration-files-new - Temporarily disabled one lint rule until flat config is supported by eslint-plugin-import. See https://github.com/import-js/eslint-plugin-import/issues/2556 - committed package-lock.json - updated all test scripts to use the new build - added an express test server that uses middleware-mockserver (this can be used to run tests without karma) - build-all-variants is now build:all Close gh-5318
* Core: Fix regression in jQuery.text() on HTMLDocument objectsTimo Tijhof2023-06-121-2/+5
| | | | | | | Fixes gh-5264 Closes gh-5265 (cherry picked from commit 44c56f87a31fbc1f43ac575cfd06a0df12073352)
* Selector:Manipulation: Fix DOM manip within template contentsMichał Gołębiowski-Owczarek2022-11-141-0/+40
| | | | | | | | | | | | | | | | The `<template/>` element `contents` property is a document fragment that may have a `null` `documentElement`. In Safari 16 this happens in more cases due to recent spec changes - in particular, even if that document fragment is explicitly adopted into an outer document. We're testing both of those cases now. The crash used to happen in `jQuery.contains`. As it turns out, we don't need to query the supposed container `documentElement` if it has the `Node.DOCUMENT_NODE` (9) `nodeType`; we can call `.contains()` directly on the `document`. That avoids the crash. Fixes gh-5147 Closes gh-5158
* Tests: Exclude tests based on compilation flags, not API presenceMichał Gołębiowski-Owczarek2022-06-281-8/+8
| | | | | | | | | | Introduces a new test API, `includesModule`. The method returns whether a particular module like "ajax" or "deprecated" is included in the current jQuery build; it handles the slim build as well. The util was created so that we don't treat presence of particular APIs to decide whether to run a test as then if we accidentally remove an API, the tests would still not fail. Fixes gh-5069 Closes gh-5046
* Docs: Fix incorrect `trac-NUMBER` referencesMichał Gołębiowski-Owczarek2022-01-121-1/+1
| | | | | | | | PR gh-4993 changed a few too many issue references to `trac-NUMBER` ones. This change fixes them. It also fixes a typo in one Trac issue number in selector tests. Ref gh-4993 Closes gh-4995
* Docs: Replace `#NUMBER` Trac issue references with `trac-NUMBER`Michał Gołębiowski-Owczarek2022-01-041-42/+42
| | | | | | | | | | | | | The GitHub UI treats `#NUMBER` as referring to its own issues which is confusing when in jQuery source it's usually referring to the old deprecated Trac instance at https://bugs.jquery.com. This change replaces all such Trac references with `trac-NUMBER`. A few of the references came with the Sizzle integration and referred to the Sizzle GitHub bug tracker. Those have been replaced with full links instead. A new entry describing issue reference conventions has been added to README. Closes gh-4993
* Core:Manipulation: Add basic TrustedHTML supportMichał Gołębiowski-Owczarek2021-09-301-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724
* Manipulation: Don't remove HTML comments from scriptsMichał Gołębiowski-Owczarek2021-07-191-6/+18
| | | | | | | | | | | | | | | | | | | When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We also used to strip CDATA sections. However, this shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning. We've preserved that behavior for backwards compatibility in 3.x but we're removing it for 4.0. Fixes gh-4904 Closes gh-4906
* Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)Michał Gołębiowski-Owczarek2020-09-221-23/+6
| | | | | | | | | | | | Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft Edge version. Also, restrict some workarounds that were applied unconditionally in all browsers to run only in IE now. This slightly increases the size but reduces the performance burden on modern browsers that don't need the workarounds. Also, clean up some comments & remove some obsolete workarounds. Fixes gh-4568 Closes gh-4792
* Manipulation: Respect script crossorigin attribute in DOM manipulation高灰2020-09-221-0/+33
| | | | | | Fixes gh-4542 Closes gh-4563 Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
* Manipulation: Avoid concatenating strings in buildFragmentMichał Gołębiowski-Owczarek2020-06-101-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
* Tests: Workaround failures in recent XSS tests in iOS 8 - 12Michał Gołębiowski-Owczarek2020-04-301-7/+15
| | | | | | | iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no different to native behavior on that OS, though, so just accept it. Ref gh-4685 Closes gh-4694
* Docs: Fix typosPierre Grimaud2020-04-291-2/+2
| | | Closes gh-4686
* Tests: Add tests for recently fixed manipulation XSS issuesMichał Gołębiowski-Owczarek2020-04-291-0/+49
| | | | | Closes gh-4685 Ref gh-4642 Ref gh-4647
* Manipulation: Make jQuery.htmlPrefilter an identity functionMichał Gołębiowski-Owczarek2020-03-161-71/+67
| | | Closes gh-4642
* Core: Fire iframe script in its context, add doc param in globalEvalMichał Gołębiowski-Owczarek2020-02-101-0/+21
| | | | | | | | | | 1. Support passing custom document to jQuery.globalEval; the script will be invoked in the context of this document. 2. Fire external scripts appended to iframe contents in that iframe context; this was already supported & tested for inline scripts but not for external ones. Fixes gh-4518 Closes gh-4601
* Build:Tests: Fix custom build tests, verify on Travis Michał Gołębiowski-Owczarek2020-01-071-4/+5
| | | | | | | | | | | This commit fixes unit tests for the following builds: 1. The no-deprecated build: `custom:-deprecated` 2. The current slim build: `custom:-ajax,-effects` 3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects` It also adds separate Travis jobs for the no-deprecated & slim builds. Closes gh-4577
* Docs: Update links to EdgeHTML issues to go through Web ArchiveMichał Gołębiowski-Owczarek2020-01-071-3/+3
| | | | | | With Microsoft going Chromium with Edge, its old EdgeHTML issues were all removed. :( Closes gh-4584
* Docs: Update most URLs to HTTPSMichał Gołębiowski-Owczarek2019-10-211-4/+4
| | | Closes gh-4511
* Selector: Inline Sizzle into the selector moduleMichał Gołębiowski-Owczarek2019-07-291-6/+6
| | | | | | | | | | | | | | | | | | This commit removes Sizzle from jQuery, inlining its code & removing obsolete workarounds where applicable. The selector-native module has been removed. Further work on the selector module may decrease the size enough that it will no longer be necessary. If it turns out it's still useful, we'll reinstate it but the code will look different anyway as we'll want to share as much code as possible with the existing selector module. The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are sorted by their first contributions to either of the two repositories. The commit reduces the gzipped jQuery size by 1460 bytes compared to master. Closes gh-4395
* Selector: Port Sizzle tests to jQueryMichał Gołębiowski-Owczarek2019-06-261-1/+1
| | | | | | | Apart from porting most Sizzle tests to jQuery (mostly to its selector module), this commit fixes selector-native so that a jQuery custom compilation that excludes Sizzle passes all tests as well. Closes gh-4406
* Core: Remove IE-specific support tests, rely on document.documentModeMichał Gołębiowski-Owczarek2019-05-131-16/+13
| | | | | | | Also, update some tests to IE-sniff when deciding whether to skip a test. Fixes gh-4386 Closes gh-4387
* Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJSMichał Gołębiowski-Owczarek2019-04-291-75/+33
| | | | | | | | | | | Also, update support comments format to match format described in: https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197 with the change from: https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379 (open-ended ranges end with `+`). Fixes gh-3950 Fixes gh-4299 Closes gh-4347
* Core: Preserve CSP nonce on scripts with src attribute in DOM manipulationbuddh42019-03-251-0/+23
| | | | | Fixes gh-4323 Closes gh-4328
* Build: Update QUnit from 1.23.1 to 2.9.2Michał Gołębiowski-Owczarek2019-03-041-2/+2
| | | Closes gh-4307
* Build: Update test code for compatibility with QUnit 2.x (#4297)abnud12019-02-181-36/+41
| | | | | | | | Also, run `grunt npmcopy` to sync the "external" directory with dependencies from package.json. For example, the Sinon library version didn't match. Ref gh-4234 Closes gh-4297
* Core: Support passing nonce through jQuery.globalEvalMichał Gołębiowski-Owczarek2019-01-211-0/+23
| | | | | | Fixes gh-4278 Closes gh-4280 Ref gh-3541 Ref gh-4269
* Manipulation: Respect script nomodule attribute in DOM manipulationMichał Gołębiowski-Owczarek2019-01-211-1/+31
| | | | | | | | | | | | | PR #3869 added support for `<script type="module">` & some support for the `nomodule` attribute but with no tests for `nomodule` and with the attribute only respected on inline scripts. This commit adds support for source-based scripts as well. It also adds tests for `nomodule`, including making sure legacy browsers execute such scripts as they'd natively do - that's the whole point of `nomodule` scripts, after all. Fixes gh-4281 Closes gh-4282 Ref gh-3871 Ref gh-3869
* Tests: Skip nonce tests in old iOS/Android as wellMichał Gołębiowski-Owczarek2019-01-141-2/+5
| | | | | | | | | | Old iOS & Android Browser versions support script-src but not nonce, making the nonce test impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip script-src restrictions completely. Ref gh-3541 Ref gh-4269 Ref c7c2855ed13f23322c4064407c1ed84561b95738
* Core: Preserve CSP nonce on scripts in DOM manipulationMichał Gołębiowski-Owczarek2019-01-141-0/+20
| | | | Fixes gh-3541 Closes gh-4269
* Manipulation: Only evaluate HTTP-successful script srcRichard Gibson2018-12-121-0/+17
| | | | | Fixes gh-4126 Closes gh-4243
* Tests: Skip module tests in EdgeMichał Gołębiowski-Owczarek2018-07-301-1/+7
| | | | | | Edge sometimes doesn't execute module scripts. It needs to be investigated why but for now, we're skipping the test to make our tests more stable. Closes gh-4140
* Manipulation: Properly detect HTML elements with single-character namesRichard Gibson2018-07-131-0/+15
| | | | Fixes gh-4124 Closes gh-4125
* Tests: ensure that module assertions run on supported browsersTimmy Willison2018-01-161-8/+14
| | | | | | - Also fixes tests for karma, where the URL for the module is different Ref gh-3871
* Manipulation: Add support for scripts with module typebasil.belokon2018-01-161-0/+16
| | | | | Fixes gh-3871 Close gh-3869
* Core: deprecate jQuery.isFunctionJason Bedard2018-01-151-1/+1
| | | | Fixes gh-3609
* Tests: Add support for running unit tests via grunt with karmaTimo Tijhof2017-12-181-2/+2
| | | | | | | | | | | | | - Update QUnit to 1.23.1 - Remove unused dl#dl from test/index.html - Remove unused map#imgmap from test/index.html - Ensure all urls to data use baseURI - Add the 'grunt karma:main' task - customContextFile & customDebugFile - Add 'npm run jenkins' script Close gh-3744 Fixes gh-1999
* Tests: minor typosAndreas Solleder2017-06-051-1/+1
| | | | Close gh-3671
* Core: Deprecate jQuery.nodeNamekaran-962017-03-011-8/+8
| | | | | Fixes gh-3475 Closes gh-3505
* Manipulation: Restrict the tbody search to child nodesRichard Gibson2017-01-091-0/+20
| | | | | | | For performance, use a querySelectorAll path instead of Javascript iteration. http://codepen.io/anon/pen/vywJjx?editors=1010 Fixes gh-3439 Closes gh-3463
* Build: More ESLint related changesOleg Gaidarenko2016-07-091-1/+1
|
* Build: ESLint detailsOleg Gaidarenko2016-06-111-9/+9
| | | | | | Use eslint pragmas, fix new errors, etc Closes gh-3148
* Tests: Refactor testIframe() to make it DRYer and more consistentDave Methvin2016-04-111-5/+5
| | | | | Ref gh-3040 Closes gh-3049
* Docs:Tests: Remove obsolete code from tests, update support commentsMichał Gołębiowski2016-03-081-30/+2
| | | | | | | | | | Support comments that were lacking the final IE/Edge version that exhibits the bug were checked & updated. Links to the Chromium bug tracker were updated. Code in tests related to unsupported browsers (like Android 2.3 in non-basic tests) has been removed. Fixes gh-2868 Closes gh-2949
* Tests: Fix manipulation tests in Android 4.4Michał Gołębiowski2016-01-271-0/+12
| | | | | | Chromium < 35 incorrectly upper-cases µ; Android 4.4 uses such a version by default (and its WebView, being un-updatable, will use it for eternity) so we need to blacklist that one for the tests to pass.
* Docs: Updated links to https where they are supported.Jon Dufresne2016-01-131-1/+1
| | | | Close gh-2746
* Docs: Fix various spelling errorsJosh Soref2016-01-131-3/+3
| | | | Closes gh-2761