If you generate a Checkboxradio from a checkbox/radio with a label that
contains encoded HTML, e.g. `<em>test</em>` this will work fine
at first. If, however a refresh is triggered on that instance (explicitly or
e.g. by turning it into a `Controlgroup`), the previously escaped HTML will
now be evaluated.
If the label was created based on some user input, this could lead to
unexpected code execution even though the initial output was escaped.
Fixes gh-2101
Closes gh-2102
Unfortunately, we cannot update all of them to their latest versions as some
of them now require Node.js 12 and we need to be able to build on Node 10 as
that's what our Jenkins runs.
jQuery UI 1.13.0 changed the logic attaching the `_untrackClassesElement`
listener in the `_classes` widget method; one of the side effects was calling
`this._on` for each node that needed the listener. That caused a severe
performance degradation for large comboboxes as each `_on` jQuery UI call
causes a jQuery `add` call that calls Sizzle's `uniqueSort` underneath.
Instead, collect the nodes that need the listener and then, outside of the loop,
create a jQuery object out of them and attach the listener once. That's still
slower than the jQuery 1.12 version but only slightly: 936 ms to 1.03s on a very
large list on a recent MacBook Pro, compared to ~30 seconds before this patch.
Fixes gh-2014
Closes gh-2037
This fixes the issue caused by https://bugs.jqueryui.com/ticket/9357.
We now empty the live region instead of appending to it, and we do so
after a brief timeout so the live region isn't updated on every mousemove
event or when quickly traversing through options.
Fixes gh-2002
Closes gh-2031
Due to the fact the widget factory code is now in strict mode, the check for
being called without using the `new` keyword started breaking if you save the
widget constructor to a variable before calling it:
```js
var customWidget = $.custom.customWidget;
customWidget( {}, elem );
```
as then `this` is undefined and checking for `this._createWidget` crashes.
Account for that with an additional check.
Fixes gh-2015
Closes gh-2019
PR gh-1793 removed setting `this.offset.parent` in the Draggable
`refreshPositions` method which broke position calculations when moving
a Draggable item into a connected Sortable. restore that assignment.
Ref gh-1793
Fixes gh-2001
Closes gh-2009
Note that container specific events will not fire when the dragged element
is interacting with zero height containers.
Fixes gh-1998
Closes gh-2008
Co-authored-by: A. Wells <borgboyone@users.noreply.github.com>
Commit 1f2011ece removed a `try-catch` around triggering the `remove` handlers
in the `jQuery.cleanData` override. The `try-catch` was meant for old IE but it was
also catching an error coming from the tooltip `remove` handler depending on
being able to find a relevant tooltip. The `_find` method returns `null`, though,
when the tooltip cotent is empty.
Instead of restoring the `try-catch`, handle the `null` case in the `remove` handler.
Fixes gh-1990
Closes gh-1994
Co-authored-by: Claas Augner <github@caugner.de>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
A fix from 43254468de introduced a rule setting
`background-image` of a blank icon to none. However, the selector used for that
rule had lower specificity than another one: `.ui-button .ui-icon` which caused
dashes being shown over the icons.
We needed to increase the specificity of the `.ui-icon-blank` rule past the
above selector and past `.ui-button:hover .ui-icon`. We're doing it by repeating
the class name three times.
Closes gh-1987
We need to create a local jQuery because jQuery Color relies on it and the
global may not exist with AMD and a custom build (trac-10199). This worked
in UI 1.12 but stopped in 1.13 as jQuery Color is now sourced as an AMD module
and the variable started being defined after jQuery Color code. To restore the
proper order, move the variable declaration to a separate small module loaded
before jQuery Color.
Closes gh-1973
We're not removing any deprecated API or legacy browser support in 1.13,
re-target comments to mention 1.14.
It's not guaranteed 1.14 will ever get released but if it will, it sounds like
a good moment to do those removals.
Closes gh-1970
Past npm versions required the `--save` flag to save anything in `package.json`
when installing packages but newer ones do this by default. Pass `--no-save` to
restore the original behavior in the `release-test.js` script.
Ref gh-1966
jQuery UI 1.12.1 was released using an outdated (at the time of its release)
version of the download.jqueryui.com package; the latest ones wouldn't generate
relevant JS files.
This commit accounts for the changes so that the latest version can be used.
Closes gh-1965