This is an edge case and it only affects code accepting untrusted input as
a widget name, but it's still technically correct to filter these out.
Closes gh-2310
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.
This should resolve one CodeQL alert.
Closes gh-2309
The previous private `_sanitizeSelector` API was not correctly escaping
backslashes and is now removed. The native API should always be correct.
Closes gh-2307
The transfer effect is deprecated and not present unless `$.uiBackCompat` is set
to `true`. In previous UI versions, the default was including the backwards
compat layer so these demos & tests worked; now they do not by default. Just
remove them.
Fixes gh-2278
Closes gh-2291
Implement a new option: `uiDialogTitleHeadingLevel`, allowing to change
the `span` wrapping the dialog title into a heading element (`h1`-`h6`).
Value `0` represents the `span`, values 1-6 - a heading at the specified
level.
Fixes gh-2271
Closes gh-2275
The "common widget" tests, checking if a widget doesn't overwrite some
core widget APIs wasn't running as it was incorrectly checking for
`$.uiBackCompat === false` instead of `$.uiBackCompat !== true` after the
default changed in gh-2250.
Fixing the check uncovered that the draggable & sortable modules do
overwrite the `_trigger` method. Add an exception in the test for that;
at this stage of the project we don't plan to change the implementation.
Closes gh-2286
Ref gh-2250
When the datepicker UI is shown and then destroyed programmatically:
```js
$( "#datepicker" ).datepicker( "destroy" );
```
hide the datepicker UI without the need for an explicit user action.
Previously, in 1.12 the UI would not disappear immediately but only after the
first `mousedown`. In later 1.13 versions, the UI would not disappear at all.
Fixes gh-2178
Closes gh-2268
Apart from updating jQuery Migrate, the setup is now changed so that exact
Migrate versions are only references when fetching npm packages; other than
that, they're represented as `jquery-migrate-1.x` & `jquery-migrate-3.x`. This
will allow smaller changes when updating jQuery Migrate in the future.
Closes gh-2273
Reflect the `modal` dialog option into the `aria-modal` attribute -
when `modal` is `true`, set `aria-modal` to `"true"`.
This helps some accessibility tools like VoiceOver with their rotor
functionality as it reduces the number of elements presented.
Fixes gh-2246
Closes gh-2257
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Avoid relying on jQuery patches. Instead:
* use `CSS.escape` instead of `jQuery.escapeSelector`
* use `.filter()` with a proper handler instead of `.even()`
Keep `jquery-patch.js` for backwards compatibility, though.
Also, add tests for jquery-patch.
Ref gh-2249
jQuery 3.6 has issues with focus handling in IE which breaks this test.
The issues were fixed in jQuery 3.7, so we just accept them here.
Closes gh-2231
One of the changes is increasing `revertDuration` from 200 to 300. For some
reason, when jQuery 3.1 is used in an iframe (which TestSwarm uses) the timings
are lower than expected and `setTimeout` too slow and the check for animation
happens too late.
Closes gh-2230
The test "#8958: dialog can be opened while opening" had special behavior in
jQuery 1.8 and the patch from commit 7adb13ac7c
broke those assumptions. Adjust the test so that it passes again.
Closes gh-2229
In IE, `option` elements may have different initial `option` colors.
They may initially all be transparent, but later the selected
option gets a blue background with white text; we now ignore it.
The logic of `qunit-assert-domequal` was also fixed to use the same
method of fetching styles in all browsers; IE used to get a legacy
one meant for IE <9 due to a mistake in the performed check.
jQuery 3.0 & 3.1 used `getBoundingClientRect()` in its `width`/`height`
calculations and that causes minor differences in fractional width computations.
Allow a tiny delta in tests to fix those tests breaking in Firefox.
Ref jquery/jquery#3561
Closes gh-2159
Change a2b25ef6ca made options with
the `hidden` attribute skipped when rendering. However, that makes
indexes misaligned with native options as hidden ones maintain their
index values. Instead, don't skip hidden options but add the `hidden`
attribute to the respective jQuery UI elements as well.
Fixes gh-2082
Closes gh-2144
Ref a2b25ef6ca
Changes:
* add `tests/lib/vendor/**/*` to `.eslintignore`
* move `qunit-composite` to `tests/lib` so that we can modify it
* move `qunit-assert-classes` to `tests/lib` so that we can modify it
* move `qunit-assert-close` to `tests/lib` so that we can modify it
* replace `assert.push` with `assert.pushResult`
* remove usage of `QUnit.extend`
Closes gh-2157
Also, workaround issues with QUnit Chrome bridge: the Chrome bridge
from `grunt-contrib-qunit` is now getting injected into every single
iframe, including an empty one that has no intention of running QUnit
tests. Since that bridge requires QUnit, it fails with an error
in such cases. Workaround the issue by wrapping the bridge in
another function that bails early if QUnit is not defined.
Ref gh-2157
Self-closing tags are reported by newer versions of the htmllint
Grunt plugin. They also don't make sense in our HTML files
since they are not XHTML-compliant and they run in HTML mode
anyway.
Ref gh-2157
The docs say that valid periods when using string value and
period pairs as relative dates are "y", "m", "w", and "d"
https://api.jqueryui.com/datepicker/
Closes gh-2143
If you generate a Checkboxradio from a checkbox/radio with a label that
contains encoded HTML, e.g. `<em>test</em>` this will work fine
at first. If, however a refresh is triggered on that instance (explicitly or
e.g. by turning it into a `Controlgroup`), the previously escaped HTML will
now be evaluated.
If the label was created based on some user input, this could lead to
unexpected code execution even though the initial output was escaped.
Fixes gh-2101
Closes gh-2102
jQuery UI 1.13.0 changed the logic attaching the `_untrackClassesElement`
listener in the `_classes` widget method; one of the side effects was calling
`this._on` for each node that needed the listener. That caused a severe
performance degradation for large comboboxes as each `_on` jQuery UI call
causes a jQuery `add` call that calls Sizzle's `uniqueSort` underneath.
Instead, collect the nodes that need the listener and then, outside of the loop,
create a jQuery object out of them and attach the listener once. That's still
slower than the jQuery 1.12 version but only slightly: 936 ms to 1.03s on a very
large list on a recent MacBook Pro, compared to ~30 seconds before this patch.
Fixes gh-2014
Closes gh-2037
This fixes the issue caused by https://bugs.jqueryui.com/ticket/9357.
We now empty the live region instead of appending to it, and we do so
after a brief timeout so the live region isn't updated on every mousemove
event or when quickly traversing through options.
Fixes gh-2002
Closes gh-2031
Due to the fact the widget factory code is now in strict mode, the check for
being called without using the `new` keyword started breaking if you save the
widget constructor to a variable before calling it:
```js
var customWidget = $.custom.customWidget;
customWidget( {}, elem );
```
as then `this` is undefined and checking for `this._createWidget` crashes.
Account for that with an additional check.
Fixes gh-2015
Closes gh-2019
PR gh-1793 removed setting `this.offset.parent` in the Draggable
`refreshPositions` method which broke position calculations when moving
a Draggable item into a connected Sortable. restore that assignment.
Ref gh-1793
Fixes gh-2001
Closes gh-2009
Note that container specific events will not fire when the dragged element
is interacting with zero height containers.
Fixes gh-1998
Closes gh-2008
Co-authored-by: A. Wells <borgboyone@users.noreply.github.com>
