aboutsummaryrefslogtreecommitdiffstats
path: root/test/unit/manipulation.js
Commit message (Collapse)AuthorAgeFilesLines
* Docs: Fix incorrect `trac-NUMBER` referencesMichał Gołębiowski-Owczarek2022-01-121-1/+1
| | | | | | | | PR gh-4993 changed a few too many issue references to `trac-NUMBER` ones. This change fixes them. It also fixes a typo in one Trac issue number in selector tests. Ref gh-4993 Closes gh-4995
* Docs: Replace `#NUMBER` Trac issue references with `trac-NUMBER`Michał Gołębiowski-Owczarek2022-01-041-42/+42
| | | | | | | | | | | | | The GitHub UI treats `#NUMBER` as referring to its own issues which is confusing when in jQuery source it's usually referring to the old deprecated Trac instance at https://bugs.jquery.com. This change replaces all such Trac references with `trac-NUMBER`. A few of the references came with the Sizzle integration and referred to the Sizzle GitHub bug tracker. Those have been replaced with full links instead. A new entry describing issue reference conventions has been added to README. Closes gh-4993
* Core:Manipulation: Add basic TrustedHTML supportMichał Gołębiowski-Owczarek2021-09-301-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724
* Manipulation: Don't remove HTML comments from scriptsMichał Gołębiowski-Owczarek2021-07-191-6/+18
| | | | | | | | | | | | | | | | | | | When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We also used to strip CDATA sections. However, this shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning. We've preserved that behavior for backwards compatibility in 3.x but we're removing it for 4.0. Fixes gh-4904 Closes gh-4906
* Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)Michał Gołębiowski-Owczarek2020-09-221-23/+6
| | | | | | | | | | | | Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft Edge version. Also, restrict some workarounds that were applied unconditionally in all browsers to run only in IE now. This slightly increases the size but reduces the performance burden on modern browsers that don't need the workarounds. Also, clean up some comments & remove some obsolete workarounds. Fixes gh-4568 Closes gh-4792
* Manipulation: Respect script crossorigin attribute in DOM manipulation高灰2020-09-221-0/+33
| | | | | | Fixes gh-4542 Closes gh-4563 Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
* Manipulation: Avoid concatenating strings in buildFragmentMichał Gołębiowski-Owczarek2020-06-101-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
* Tests: Workaround failures in recent XSS tests in iOS 8 - 12Michał Gołębiowski-Owczarek2020-04-301-7/+15
| | | | | | | iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no different to native behavior on that OS, though, so just accept it. Ref gh-4685 Closes gh-4694
* Docs: Fix typosPierre Grimaud2020-04-291-2/+2
| | | Closes gh-4686
* Tests: Add tests for recently fixed manipulation XSS issuesMichał Gołębiowski-Owczarek2020-04-291-0/+49
| | | | | Closes gh-4685 Ref gh-4642 Ref gh-4647
* Manipulation: Make jQuery.htmlPrefilter an identity functionMichał Gołębiowski-Owczarek2020-03-161-71/+67
| | | Closes gh-4642
* Core: Fire iframe script in its context, add doc param in globalEvalMichał Gołębiowski-Owczarek2020-02-101-0/+21
| | | | | | | | | | 1. Support passing custom document to jQuery.globalEval; the script will be invoked in the context of this document. 2. Fire external scripts appended to iframe contents in that iframe context; this was already supported & tested for inline scripts but not for external ones. Fixes gh-4518 Closes gh-4601
* Build:Tests: Fix custom build tests, verify on Travis Michał Gołębiowski-Owczarek2020-01-071-4/+5
| | | | | | | | | | | This commit fixes unit tests for the following builds: 1. The no-deprecated build: `custom:-deprecated` 2. The current slim build: `custom:-ajax,-effects` 3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects` It also adds separate Travis jobs for the no-deprecated & slim builds. Closes gh-4577
* Docs: Update links to EdgeHTML issues to go through Web ArchiveMichał Gołębiowski-Owczarek2020-01-071-3/+3
| | | | | | With Microsoft going Chromium with Edge, its old EdgeHTML issues were all removed. :( Closes gh-4584
* Docs: Update most URLs to HTTPSMichał Gołębiowski-Owczarek2019-10-211-4/+4
| | | Closes gh-4511
* Selector: Inline Sizzle into the selector moduleMichał Gołębiowski-Owczarek2019-07-291-6/+6
| | | | | | | | | | | | | | | | | | This commit removes Sizzle from jQuery, inlining its code & removing obsolete workarounds where applicable. The selector-native module has been removed. Further work on the selector module may decrease the size enough that it will no longer be necessary. If it turns out it's still useful, we'll reinstate it but the code will look different anyway as we'll want to share as much code as possible with the existing selector module. The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are sorted by their first contributions to either of the two repositories. The commit reduces the gzipped jQuery size by 1460 bytes compared to master. Closes gh-4395
* Selector: Port Sizzle tests to jQueryMichał Gołębiowski-Owczarek2019-06-261-1/+1
| | | | | | | Apart from porting most Sizzle tests to jQuery (mostly to its selector module), this commit fixes selector-native so that a jQuery custom compilation that excludes Sizzle passes all tests as well. Closes gh-4406
* Core: Remove IE-specific support tests, rely on document.documentModeMichał Gołębiowski-Owczarek2019-05-131-16/+13
| | | | | | | Also, update some tests to IE-sniff when deciding whether to skip a test. Fixes gh-4386 Closes gh-4387
* Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJSMichał Gołębiowski-Owczarek2019-04-291-75/+33
| | | | | | | | | | | Also, update support comments format to match format described in: https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197 with the change from: https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379 (open-ended ranges end with `+`). Fixes gh-3950 Fixes gh-4299 Closes gh-4347
* Core: Preserve CSP nonce on scripts with src attribute in DOM manipulationbuddh42019-03-251-0/+23
| | | | | Fixes gh-4323 Closes gh-4328
* Build: Update QUnit from 1.23.1 to 2.9.2Michał Gołębiowski-Owczarek2019-03-041-2/+2
| | | Closes gh-4307
* Build: Update test code for compatibility with QUnit 2.x (#4297)abnud12019-02-181-36/+41
| | | | | | | | Also, run `grunt npmcopy` to sync the "external" directory with dependencies from package.json. For example, the Sinon library version didn't match. Ref gh-4234 Closes gh-4297
* Core: Support passing nonce through jQuery.globalEvalMichał Gołębiowski-Owczarek2019-01-211-0/+23
| | | | | | Fixes gh-4278 Closes gh-4280 Ref gh-3541 Ref gh-4269
* Manipulation: Respect script nomodule attribute in DOM manipulationMichał Gołębiowski-Owczarek2019-01-211-1/+31
| | | | | | | | | | | | | PR #3869 added support for `<script type="module">` & some support for the `nomodule` attribute but with no tests for `nomodule` and with the attribute only respected on inline scripts. This commit adds support for source-based scripts as well. It also adds tests for `nomodule`, including making sure legacy browsers execute such scripts as they'd natively do - that's the whole point of `nomodule` scripts, after all. Fixes gh-4281 Closes gh-4282 Ref gh-3871 Ref gh-3869
* Tests: Skip nonce tests in old iOS/Android as wellMichał Gołębiowski-Owczarek2019-01-141-2/+5
| | | | | | | | | | Old iOS & Android Browser versions support script-src but not nonce, making the nonce test impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip script-src restrictions completely. Ref gh-3541 Ref gh-4269 Ref c7c2855ed13f23322c4064407c1ed84561b95738
* Core: Preserve CSP nonce on scripts in DOM manipulationMichał Gołębiowski-Owczarek2019-01-141-0/+20
| | | | Fixes gh-3541 Closes gh-4269
* Manipulation: Only evaluate HTTP-successful script srcRichard Gibson2018-12-121-0/+17
| | | | | Fixes gh-4126 Closes gh-4243
* Tests: Skip module tests in EdgeMichał Gołębiowski-Owczarek2018-07-301-1/+7
| | | | | | Edge sometimes doesn't execute module scripts. It needs to be investigated why but for now, we're skipping the test to make our tests more stable. Closes gh-4140
* Manipulation: Properly detect HTML elements with single-character namesRichard Gibson2018-07-131-0/+15
| | | | Fixes gh-4124 Closes gh-4125
* Tests: ensure that module assertions run on supported browsersTimmy Willison2018-01-161-8/+14
| | | | | | - Also fixes tests for karma, where the URL for the module is different Ref gh-3871
* Manipulation: Add support for scripts with module typebasil.belokon2018-01-161-0/+16
| | | | | Fixes gh-3871 Close gh-3869
* Core: deprecate jQuery.isFunctionJason Bedard2018-01-151-1/+1
| | | | Fixes gh-3609
* Tests: Add support for running unit tests via grunt with karmaTimo Tijhof2017-12-181-2/+2
| | | | | | | | | | | | | - Update QUnit to 1.23.1 - Remove unused dl#dl from test/index.html - Remove unused map#imgmap from test/index.html - Ensure all urls to data use baseURI - Add the 'grunt karma:main' task - customContextFile & customDebugFile - Add 'npm run jenkins' script Close gh-3744 Fixes gh-1999
* Tests: minor typosAndreas Solleder2017-06-051-1/+1
| | | | Close gh-3671
* Core: Deprecate jQuery.nodeNamekaran-962017-03-011-8/+8
| | | | | Fixes gh-3475 Closes gh-3505
* Manipulation: Restrict the tbody search to child nodesRichard Gibson2017-01-091-0/+20
| | | | | | | For performance, use a querySelectorAll path instead of Javascript iteration. http://codepen.io/anon/pen/vywJjx?editors=1010 Fixes gh-3439 Closes gh-3463
* Build: More ESLint related changesOleg Gaidarenko2016-07-091-1/+1
|
* Build: ESLint detailsOleg Gaidarenko2016-06-111-9/+9
| | | | | | Use eslint pragmas, fix new errors, etc Closes gh-3148
* Tests: Refactor testIframe() to make it DRYer and more consistentDave Methvin2016-04-111-5/+5
| | | | | Ref gh-3040 Closes gh-3049
* Docs:Tests: Remove obsolete code from tests, update support commentsMichał Gołębiowski2016-03-081-30/+2
| | | | | | | | | | Support comments that were lacking the final IE/Edge version that exhibits the bug were checked & updated. Links to the Chromium bug tracker were updated. Code in tests related to unsupported browsers (like Android 2.3 in non-basic tests) has been removed. Fixes gh-2868 Closes gh-2949
* Tests: Fix manipulation tests in Android 4.4Michał Gołębiowski2016-01-271-0/+12
| | | | | | Chromium < 35 incorrectly upper-cases µ; Android 4.4 uses such a version by default (and its WebView, being un-updatable, will use it for eternity) so we need to blacklist that one for the tests to pass.
* Docs: Updated links to https where they are supported.Jon Dufresne2016-01-131-1/+1
| | | | Close gh-2746
* Docs: Fix various spelling errorsJosh Soref2016-01-131-3/+3
| | | | Closes gh-2761
* Manipulation: Bring tagname regexes up to specLeonardo Braga2016-01-071-0/+67
| | | | | Fixes gh-2005 Closes gh-2634
* Selector: pass jQuery unit tests with selector-nativeTimmy Willison2015-11-111-101/+122
| | | | | | | | | - Ignore certain tests that obviously are not supported - Beefed up the sortOrder, uniqueSort, isXMLDoc, and attr functions Fixes gh-1742 Fixes gh-2048 Close gh-2703
* Manipulation: execute scripts from iframe in the iframe's contextTimmy Willison2015-11-091-0/+11
| | | | | Fixes gh-1757 Close gh-2696
* Data: avoid using delete on DOM nodesJason Bedard2015-09-081-2/+2
| | | | Closes gh-2479
* Tests: further improvements QUnit 2.0 migrationOleg Gaidarenko2015-09-081-4/+4
| | | | | | | | * Remove QUnit jshint globals * Extend QUnit.assert methods * Use assert.async instead of start/stop/done Ref b930d14ce64937e9478405eee2828d4da091d2cb
* Build: Update jscs and lint filesOleg Gaidarenko2015-09-071-789/+788
| | | | Fixes gh-2056
* Tests: partially use new qunit interfaceOleg Gaidarenko2015-08-161-671/+671
| | | | | | | | | | | | http://qunitjs.com/upgrade-guide-2.x/ For most of the boring work was used https://github.com/apsdehal/qunit-migrate package However, it can't update local qunit helpers, plus in some places old QUnit.asyncTest signature is still used Fixes gh-2540
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-11 22:17:27 +0000