| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
The spec has recently changed and CSS Custom Properties values are trimmed now.
This change makes jQuery polyfill that new behavior for all browsers.
Ref w3c/csswg-drafts#774
Fixes gh-4926
Closes gh-4930
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.
We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.
Fixes gh-4904
Closes gh-4906
|
| |
|
|
|
| |
Also, remove unused `expected` property in `css` test cases.
Closes gh-4866
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:
```js
elem.on( "focus", function() {} ).off( "focus" );
```
make subsequent `.trigger( "focus" )` calls to not do any triggering.
The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).
Fixes gh-4867
Closes gh-4885
|
| |
|
|
|
|
|
| |
Chrome & Firefox now support complex `:not()` selectors so those test can run
in them even without custom jQuery selector code. In the past, it was only
possible in Safari, now we only need to exclude IE.
Closes gh-4864
|
| |
|
|
|
|
| |
The default branch was updated, this updates the remaining occurrences in code
& comments.
Closes gh-4838
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.
After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.
Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
"text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
query string parameter
Closes gh-4824
Ref gh-2432
Ref gh-2588
Ref 39cdb8c9aa0fde68f733553ba050a2ba9d86474c
|
| |
|
|
|
|
|
|
| |
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties
Fixes gh-4529
Closes gh-4808
|
| |
|
|
| |
Fixes gh-4784
Closes gh-4816
|
| |
|
|
| |
Fixes gh-4782
Closes gh-4814
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If during a focus handler another focus event is triggered:
```js
elem1.on( "focus", function() {
elem2.trigger( "focus" );
} );
```
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Fixes gh-4382
Closes gh-4813
Ref gh-4279
|
| |
|
|
|
|
|
|
|
|
| |
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.
Fixes gh-4417
Closes gh-4799
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.
Also, clean up some comments & remove some obsolete workarounds.
Fixes gh-4568
Closes gh-4792
|
| |
|
|
|
|
| |
Fixes gh-4542
Closes gh-4563
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
|
| |
|
|
|
|
|
|
| |
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.
This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.
Closes gh-4779
|
| |
|
|
|
|
|
| |
The behavior of this signature is not intuitive, especially if classes are
manipulated via other ways between `toggleClass` calls.
Fixes gh-3388
Closes gh-4766
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.
This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.
Fixes gh-4771
Closes gh-4773
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Fixes gh-3969
Closes gh-4763
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
Fixes gh-1799
Fixes gh-3376
Closes gh-4754
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
|
| |
|
|
|
|
| |
The API has been deprecated in 3.5.0 so it can be removed in 4.0.0.
Ref gh-4461
Closes gh-4695
|
| |
|
|
|
|
| |
PR gh-4586 removed some of those but not all.
Closes gh-4715
Ref gh-4586
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.
To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.
Closes gh-4704
Ref jquery/jquery-migrate#346
|
| |
|
|
|
|
|
| |
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.
Ref gh-4685
Closes gh-4694
|
| |
|
| |
Closes gh-4686
|
| |
|
|
|
| |
Closes gh-4685
Ref gh-4642
Ref gh-4647
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport tests from a jQuery 3.x fix that's not needed on `master`.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5aa415367a7dae0b55c2dd17b591442d - the commit that
introduced the regression - to make sure we don't regress on either front.
The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.
(cherry picked from 9e15d6b469556eccfa607c5ecf53b20c84529125)
(cherry picked from 1a4f10ddc37c34c6dc3a451ee451b5c6cf367399)
Ref gh-4652
Ref gh-4656
Closes gh-4657
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
|
| |
|
| |
Closes gh-4642
|
| |
|
|
|
|
|
| |
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.
Fixes gh-3256
Closes gh-4603
|
| |
|
|
|
|
| |
It is no longer needed to create `done` wrappers in tests that require
multiple async operations to complete.
Closes gh-4633
|
| |
|
|
|
|
|
|
|
|
| |
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
Fixes gh-4518
Closes gh-4601
|
| |
|
|
|
|
|
|
|
|
| |
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.
This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.
Closes gh-4585
|
| |
|
|
|
| |
The tests relied on `jQuery.cache` so they only ever worked in jQuery 1.x.
Closes gh-4586
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Closes gh-4577
|
| |
|
|
|
|
| |
With Microsoft going Chromium with Edge, its old EdgeHTML issues were all
removed. :(
Closes gh-4584
|
| |
|
|
|
|
|
| |
Remove the workaround for a broken `:enabled` pseudo-class on anchor elements
in Chrome <=77. These versions of Chrome considers anchor elements with the
`href` attribute as matching `:enabled`.
Closes gh-4569
|
| |
|
|
|
|
| |
Also, run such a suite in CI to make sure modules are working as expected
when used directly.
Closes gh-4550
|
| |
|
|
|
|
|
|
|
|
| |
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.
Fixes gh-4397
Closes gh-4558
|
| |
|
|
|
|
|
|
|
|
| |
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.
Interestingly, IE 10 & older don't seem to have the issue.
Fixes gh-4435
Closes gh-4510
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Firefox 70 & newer fail this test but the issue there is more profound - Firefox
doesn't subtract borders from table row computed widths.
Closes gh-4537
Ref jquery/jquery#4529
Ref https://bugzilla.mozilla.org/show_bug.cgi?id=1590837
Ref w3c/csswg-drafts#4444
(cherry picked from commit c79e1d5fefc50b1df0a1c2ca3f06b567e79c0f9b)
|
| |
|
|
|
|
|
|
|
|
| |
Chrome 78 dropped support for synchronous XHR requests inside of
beforeunload, unload, pagehide, and visibilitychange event handlers.
See https://bugs.chromium.org/p/chromium/issues/detail?id=952452
Closes gh-4536
(cherry picked from commit c5b48c8caa58e7b73164ac033bf726a072903708)
|
| |
|
| |
Closes gh-4511
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Sizzle's PR jquery/sizzle#456 introduced a test catching not throwing on
badly-escaped identifiers by Firefox 3.6-5. Unfortunately, it was placed just
before a test Opera 10-11 failed, making Opera fail quicker and not adding
a post-comma invalid selector to rbuggyQSA.
The issue was fixed in jquery/sizzle#463. This jQuery commit backports the test
that Sizzle PR added as no workarounds are needed in browsers jQuery supports.
Closes gh-4516
Ref jquery/sizzle#456
Ref jquery/sizzle#463
|
| |
|
|
|
| |
This prepares us for possibly hiding jQuery.find in jQuery 4.0.
Closes gh-4517
|
| |
|
|
| |
Fixes gh-4490
Closes gh-4506
|
| |
|
|
|
|
|
|
|
| |
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).
Fixes gh-4250
Closes gh-4379
|
| |
|
|
|
|
|
|
|
|
|
| |
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.
Fixes gh-4320
Closes gh-4459
|
| |
|
|
|
|
| |
`:even` & `:odd` are deprecated since jQuery 3.4.0 & will be removed in 4.0.0.
The new `even()` & `odd()` methods will make the migration easier.
Closes gh-4485
|
