Commit Graph

297 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
de5398a6ad
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.

One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.

No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.

The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.

See https://web.dev/trusted-types/ for more information about TrustedHTML.

Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
2021-09-30 16:00:24 +02:00
Michał Gołębiowski-Owczarek
2f8f39e457
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.

Fixes gh-4904
Closes gh-4906
2021-07-19 19:04:23 +02:00
Michał Gołębiowski-Owczarek
e35fb62db4
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.

Also, clean up some comments & remove some obsolete workarounds.

Fixes gh-4568
Closes gh-4792
2020-09-22 17:49:28 +02:00
高灰
15ae361485
Manipulation: Respect script crossorigin attribute in DOM manipulation
Fixes gh-4542
Closes gh-4563

Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-09-22 17:30:18 +02:00
Michał Gołębiowski-Owczarek
9c98e4e86e
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.

The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.

IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.

All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.

Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2020-06-10 16:13:22 +02:00
Michał Gołębiowski-Owczarek
11066a9e6a
Tests: Workaround failures in recent XSS tests in iOS 8 - 12
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.

Ref gh-4685
Closes gh-4694
2020-04-30 21:25:29 +02:00
Pierre Grimaud
1a7332ce83
Docs: Fix typos
Closes gh-4686
2020-04-29 21:18:23 +02:00
Michał Gołębiowski-Owczarek
dc06d68bdc
Tests: Add tests for recently fixed manipulation XSS issues
Closes gh-4685
Ref gh-4642
Ref gh-4647
2020-04-29 16:39:04 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
4592595b47
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
   invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
   this was already supported & tested for inline scripts but not for external
   ones.

Fixes gh-4518
Closes gh-4601
2020-02-10 19:17:22 +01:00
Michał Gołębiowski-Owczarek
0f780ba7cc
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:

1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`

It also adds separate Travis jobs for the no-deprecated & slim builds. 

Closes gh-4577
2020-01-07 23:59:08 +01:00
Michał Gołębiowski-Owczarek
1dad1185e0
Docs: Update links to EdgeHTML issues to go through Web Archive
With Microsoft going Chromium with Edge, its old EdgeHTML issues were all
removed. :(

Closes gh-4584
2020-01-07 23:45:41 +01:00
Michał Gołębiowski-Owczarek
f09d92100f
Docs: Update most URLs to HTTPS
Closes gh-4511
2019-10-21 19:03:48 +02:00
Michał Gołębiowski-Owczarek
47835965bd Selector: Inline Sizzle into the selector module
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.

The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.

The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.

The commit reduces the gzipped jQuery size by 1460 bytes compared to master.

Closes gh-4395
2019-07-29 21:19:21 +02:00
Michał Gołębiowski-Owczarek
79b74e043a
Selector: Port Sizzle tests to jQuery
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.

Closes gh-4406
2019-06-26 21:39:10 +02:00
Michał Gołębiowski-Owczarek
3527a38405
Core: Remove IE-specific support tests, rely on document.documentMode
Also, update some tests to IE-sniff when deciding whether
to skip a test.

Fixes gh-4386
Closes gh-4387
2019-05-13 21:39:56 +02:00
Michał Gołębiowski-Owczarek
cf84696fd1
Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS
Also, update support comments format to match format described in:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197
with the change from:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379
(open-ended ranges end with `+`).

Fixes gh-3950
Fixes gh-4299
Closes gh-4347
2019-04-29 22:56:09 +02:00
buddh4
005040379d Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation
Fixes gh-4323
Closes gh-4328
2019-03-25 18:14:24 +01:00
Michał Gołębiowski-Owczarek
6ced2639b5
Build: Update QUnit from 1.23.1 to 2.9.2
Closes gh-4307
2019-03-04 20:10:21 +01:00
abnud1
c349818742 Build: Update test code for compatibility with QUnit 2.x (#4297)
Also, run `grunt npmcopy` to sync the "external" directory with dependencies
from package.json. For example, the Sinon library version didn't match.

Ref gh-4234
Closes gh-4297
2019-02-18 19:03:26 +01:00
Michał Gołębiowski-Owczarek
5bdc85b82b
Core: Support passing nonce through jQuery.globalEval
Fixes gh-4278
Closes gh-4280
Ref gh-3541
Ref gh-4269
2019-01-21 18:42:39 +01:00
Michał Gołębiowski-Owczarek
e4de8b4626
Manipulation: Respect script nomodule attribute in DOM manipulation
PR #3869 added support for `<script type="module">` & some support for
the `nomodule` attribute but with no tests for `nomodule` and with the
attribute only respected on inline scripts. This commit adds support for
source-based scripts as well. It also adds tests for `nomodule`, including
making sure legacy browsers execute such scripts as they'd natively do - that's
the whole point of `nomodule` scripts, after all.

Fixes gh-4281
Closes gh-4282
Ref gh-3871
Ref gh-3869
2019-01-21 18:34:40 +01:00
Michał Gołębiowski-Owczarek
543d3d24ea Tests: Skip nonce tests in old iOS/Android as well
Old iOS & Android Browser versions support script-src but not nonce, making the
nonce test impossible to run. Browsers not supporting CSP at all are not
a problem as they'll skip script-src restrictions completely.

Ref gh-3541
Ref gh-4269
Ref c7c2855ed1
2019-01-14 19:49:28 +01:00
Michał Gołębiowski-Owczarek
c7c2855ed1
Core: Preserve CSP nonce on scripts in DOM manipulation
Fixes gh-3541
Closes gh-4269
2019-01-14 19:29:54 +01:00
Richard Gibson
c2026b117d Manipulation: Only evaluate HTTP-successful script src
Fixes gh-4126
Closes gh-4243
2018-12-12 17:21:24 +01:00
Michał Gołębiowski-Owczarek
ae82e85e64
Tests: Skip module tests in Edge
Edge sometimes doesn't execute module scripts. It needs to be investigated why
but for now, we're skipping the test to make our tests more stable.

Closes gh-4140
2018-07-30 18:41:08 +02:00
Richard Gibson
979809c5a8
Manipulation: Properly detect HTML elements with single-character names
Fixes gh-4124
Closes gh-4125
2018-07-13 00:35:08 -04:00
Timmy Willison
625e19cd9b
Tests: ensure that module assertions run on supported browsers
- Also fixes tests for karma, where the URL for the module is different

Ref gh-3871
2018-01-16 15:18:32 -05:00
basil.belokon
5d3a968e03
Manipulation: Add support for scripts with module type
Fixes gh-3871
Close gh-3869
2018-01-16 11:39:16 -05:00
Jason Bedard
3d732cca6b Core: deprecate jQuery.isFunction
Fixes gh-3609
2018-01-15 09:26:19 -08:00
Timo Tijhof
ecd8ddea33
Tests: Add support for running unit tests via grunt with karma
- Update QUnit to 1.23.1
- Remove unused dl#dl from test/index.html
- Remove unused map#imgmap from test/index.html
- Ensure all urls to data use baseURI
- Add the 'grunt karma:main' task
  - customContextFile & customDebugFile
- Add 'npm run jenkins' script

Close gh-3744
Fixes gh-1999
2017-12-18 12:27:38 -05:00
Andreas Solleder
5bdd1ca1ab
Tests: minor typos
Close gh-3671
2017-06-05 11:46:43 -04:00
karan-96
ac9e301664 Core: Deprecate jQuery.nodeName
Fixes gh-3475
Closes gh-3505
2017-03-01 11:48:11 +01:00
Richard Gibson
efdb8a46e4 Manipulation: Restrict the tbody search to child nodes
For performance, use a querySelectorAll path instead of Javascript iteration.
http://codepen.io/anon/pen/vywJjx?editors=1010

Fixes gh-3439
Closes gh-3463
2017-01-09 11:37:12 -08:00
Oleg Gaidarenko
522f546d96 Build: More ESLint related changes 2016-07-09 00:49:43 +03:00
Oleg Gaidarenko
58c6ca9822 Build: ESLint details
Use eslint pragmas, fix new errors, etc

Closes gh-3148
2016-06-11 10:41:33 +03:00
Dave Methvin
e5ffcb0838 Tests: Refactor testIframe() to make it DRYer and more consistent
Ref gh-3040
Closes gh-3049
2016-04-11 13:32:51 -04:00
Michał Gołębiowski
9b086888b8 Docs:Tests: Remove obsolete code from tests, update support comments
Support comments that were lacking the final IE/Edge version that exhibits
the bug were checked & updated. Links to the Chromium bug tracker were updated.
Code in tests related to unsupported browsers (like Android 2.3 in non-basic
tests) has been removed.

Fixes gh-2868
Closes gh-2949
2016-03-08 23:26:46 +01:00
Michał Gołębiowski
0b0d4c634a Tests: Fix manipulation tests in Android 4.4
Chromium < 35 incorrectly upper-cases µ; Android 4.4 uses such a version by
default (and its WebView, being un-updatable, will use it for eternity) so we
need to blacklist that one for the tests to pass.
2016-01-27 12:02:00 +01:00
Jon Dufresne
b0b280cd61 Docs: Updated links to https where they are supported.
Close gh-2746
2016-01-13 13:26:10 -05:00
Josh Soref
aae44111e2 Docs: Fix various spelling errors
Closes gh-2761
2016-01-13 13:11:11 -05:00
Leonardo Braga
fb9472c7fb Manipulation: Bring tagname regexes up to spec
Fixes gh-2005
Closes gh-2634
2016-01-07 16:48:49 -05:00
Timmy Willison
88046440da Selector: pass jQuery unit tests with selector-native
- Ignore certain tests that obviously are not supported
- Beefed up the sortOrder, uniqueSort, isXMLDoc, and attr functions

Fixes gh-1742
Fixes gh-2048
Close gh-2703
2015-11-11 10:10:10 -05:00
Timmy Willison
22449eb968 Manipulation: execute scripts from iframe in the iframe's context
Fixes gh-1757
Close gh-2696
2015-11-09 14:14:30 -05:00
Jason Bedard
0e982433eb Data: avoid using delete on DOM nodes
Closes gh-2479
2015-09-08 20:22:54 +02:00
Oleg Gaidarenko
c8d15a2f9f Tests: further improvements QUnit 2.0 migration
* Remove QUnit jshint globals
* Extend QUnit.assert methods
* Use assert.async instead of start/stop/done

Ref b930d14ce6
2015-09-08 04:06:20 +03:00
Oleg Gaidarenko
10fdad742a Build: Update jscs and lint files
Fixes gh-2056
2015-09-07 20:03:50 +03:00
Oleg Gaidarenko
b930d14ce6 Tests: partially use new qunit interface
http://qunitjs.com/upgrade-guide-2.x/

For most of the boring work was used
https://github.com/apsdehal/qunit-migrate package

However, it can't update local qunit helpers, plus in some places
old QUnit.asyncTest signature is still used

Fixes gh-2540
2015-08-16 09:02:01 +03:00
Oleg Gaidarenko
aabe94edb4 Tests: don't use deprecated argument in test declaration
Closes gh-2507
2015-07-30 20:46:31 +03:00
Bruno Pérel
360a478033 Docs: Fix various spelling mistakes
Closes gh-2487
2015-07-30 15:47:23 +02:00