Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Fixes gh-3969
Closes gh-4763
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
Fixes gh-1799
Fixes gh-3376
Closes gh-4754
This also resolves a security warning from GitHub about a vulnerable `request`
version - the new `testswarm` package version depends on a fixed `request`.
Closes gh-4732
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
The issue about selectors with '#' being broken is old and no longer
frequently reported so this commit removes it from the list. On the other
hand, we're now getting lots of reports about the security fix in jQuery 3.5.0
that was also a breaking change: gh-4642. This one is now mentioned in the
list.
Closes gh-4728
Ref gh-4642
To achieve that, use `eslint-plugin-import`'s `no-unused-modules` rule.
Also, explicitly import `event/trigger.js` from `jquery.js`; so far it was
only imported from ajax.js, making it mistakenly skipped in the
`custom:slim,-deprecated` build.
This commit cleans up a few comments & configurations that are out of date
after the migration to ES modules backed by a Rollup-based compilation.
Also, de-indent AMD modules. This will preserve a more similar
structure to the one on 3.x-stable where the body of the main `define`
wrapper is not indented.
Closes gh-4705
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.
To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.
Closes gh-4704
Ref jquery/jquery-migrate#346
1. Correct code indentations based on jQuery Style Guide
(contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
indentation", with minimal changes to the current code.
Closes gh-4672
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.
Ref gh-4685
Closes gh-4694
So far, the slim build was expanded to its full exclusion list, generating the
following `jQuery.fn.jquery`:
```
v4.0.0-pre -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
This commit changes it to just `v4.0.0-pre slim`. Only the pure slim build is
treated this way, any modification to it goes through the old expansion; e.g.
for `custom:slim,-deprecated` we get the following `jQuery.fn.jquery`:
```
v4.0.0-pre -deprecated,-deprecated/ajax-event-alias,-deprecated/event,-ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```
Since the version string is also put in the jQuery header comment, it also got
smaller.
Also, the logic to skip including the commit hash in the header comment - when
provided through the COMMIT environment variable which we do in Jenkins - in
minified builds headers has been applied to builds with exclusions as well.
Closes gh-4649
Backport tests from a jQuery 3.x fix that's not needed on `master`.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5a - the commit that
introduced the regression - to make sure we don't regress on either front.
The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.
(cherry picked from 9e15d6b469)
(cherry picked from 1a4f10ddc3)
Ref gh-4652
Ref gh-4656
Closes gh-4657
This disable-directive only applies to the built version, so put
it in /dist. This avoids a warning about an unused directive in the
source version.
Closes gh-4676
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
Closes gh-4687
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Travis reports warnings in our config:
* root: deprecated key sudo (The key `sudo` has no effect anymore.)
* root: missing os, using the default linux
* root: key matrix is an alias for jobs, using jobs
They are all now resolved.
Closes gh-4636
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.
Fixes gh-3256
Closes gh-4603
Use a dist README fixture kept in the jQuery repository instead of modifying
an existing one. This makes the jQuery repository the single source of truth
when it comes to jQuery releases and it makes it easier to make changes to
README without worrying how it will affect older jQuery lines.
The commit also ES6ifies build/release.js & build/release/dist.js
Closes gh-4614
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Closes gh-4615
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
Fixes gh-4518
Closes gh-4601
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de0
when fixing the trac-12989 bug.
Closes gh-4602
While we have absolutely no style-related expectations to our minified file,
we do care that it's valid ES 5.1. This is now verified.
Fixes gh-3075
Ref gh-4594
Closes gh-4598
A new `src/deprecated` directory makes it possible to exclude some deprecated
APIs from a custom build when their respective "parent" module is excluded
without keeping that module outside of the `src/deprecated` directory or
the `src/deprecated.js` file.
Closes gh-4572
The consequence is `.css( "opacity" )` will now return an empty string for
detached elements in standard-compliant browsers and "1" in IE & the legacy
Edge. That behavior is shared by most other CSS properties which we're not
normalizing either.
Closes gh-4593
While we have absolutely no style-related expectations to our minified file,
we do care that it's valid ES 5.1. This is now verified.
Fixes gh-3075
Closes gh-4594
So far, the slim build only excluded ajax & effects modules. As many web apps
right now rely on native Promises, often with a polyfill for legacy browsers,
deferred & callbacks modules are not that useful for sites that already exclude
ajax & effects modules.
This decreases the gzipped minified size of the slim module by 1760 bytes,
to 19706 bytes (below 20k!).
Closes gh-4553
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.
This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.
Closes gh-4585