The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:
```js
elem.on( "focus", function() {} ).off( "focus" );
```
make subsequent `.trigger( "focus" )` calls to not do any triggering.
The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).
Fixes gh-4867
Closes gh-4885
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.
Ref gh-4764
Closes gh-4871
Chrome & Firefox now support complex `:not()` selectors so those test can run
in them even without custom jQuery selector code. In the past, it was only
possible in Safari, now we only need to exclude IE.
Closes gh-4864
That package was missed in gh-4865 as it only broke browsers needing the
polyfill which is just IE at the moment. Thus, it broke Core tests in IE only.
Ref gh-4865
Closes gh-4870
In gh-4466, we removed the `external` directory in favor of loading some files
directly from `node_modules`. This works fine locally but when deploying code
for tests, this makes it impossible to not deploy `node_modules` as well. To
avoid the issue, this change restores usage of the `external` directory.
One change is that we no longer commit this directory to the repository, its
only purpose is to have clear isolation from `node_modules`.
Ref gh-4466
Closess gh-4865
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.
After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.
Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
"text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
query string parameter
Closes gh-4824
Ref gh-2432
Ref gh-2588
Ref 39cdb8c9aa
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties
Fixes gh-4529
Closes gh-4808
If during a focus handler another focus event is triggered:
```js
elem1.on( "focus", function() {
elem2.trigger( "focus" );
} );
```
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Fixes gh-4382
Closes gh-4813
Ref gh-4279
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.
Fixes gh-4417
Closes gh-4799
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.
Also, clean up some comments & remove some obsolete workarounds.
Fixes gh-4568
Closes gh-4792
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```
Closes gh-4764
Ref gh-4754
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.
This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.
Closes gh-4779
The behavior of this signature is not intuitive, especially if classes are
manipulated via other ways between `toggleClass` calls.
Fixes gh-3388
Closes gh-4766
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.
This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.
Fixes gh-4771
Closes gh-4773
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.
For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.
The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.
Fixes gh-3969
Closes gh-4763
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.
Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.
This commit disables the auto-promoting logic.
BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.
Fixes gh-1799
Fixes gh-3376
Closes gh-4754
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.
The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.
IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.
All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.
Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.
To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.
Closes gh-4704
Ref jquery/jquery-migrate#346
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.
Ref gh-4685
Closes gh-4694
Backport tests from a jQuery 3.x fix that's not needed on `master`.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5a - the commit that
introduced the regression - to make sure we don't regress on either front.
The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.
(cherry picked from 9e15d6b469)
(cherry picked from 1a4f10ddc3)
Ref gh-4652
Ref gh-4656
Closes gh-4657
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
Closes gh-4687
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.
Fixes gh-3256
Closes gh-4603
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Closes gh-4615
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
Fixes gh-4518
Closes gh-4601
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de0
when fixing the trac-12989 bug.
Closes gh-4602
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.
This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.
Closes gh-4585
PR gh-4550 added support for running ES modules & AMD tests via Karma. This
required reading the `esmodules` & `amd` props from both `QUnit.config` &
`QUnit.urlParams`. By picking these two properties manually, the `dev` one
stopped being respected while ones handled directly by QUnit were fine (like
`hidepassed`). Instead of maintaining the full list of options, the code now
iterates over QUnit URL config and handles the fallbacks in a more generic way.
Apart from that, all jQuery source & test files are now read directly from disk
instead of being cached by Karma so that one can run `grunt karma:chrome-debug`
& work on a fix without restarting that Karma run after each change. A similar
effect could have been achieved by setting `autoWatch` to `true` but then the
main Karma page runs tests in an iframe by default when
`grunt karma:chrome-debug` is run instead of relying on the current debug flow.
Closes gh-4574
Ref gh-4550
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Closes gh-4577
Remove the workaround for a broken `:enabled` pseudo-class on anchor elements
in Chrome <=77. These versions of Chrome considers anchor elements with the
`href` attribute as matching `:enabled`.
Closes gh-4569
jQuery source has been migrated in gh-4541 from AMD to ES modules. To maintain
support for consumers of our AMD modules, this commits adds a task transpiling
the ES modules sources in `src/` to AMD in `amd/`.
A "Load with AMD" checkbox was also restored to the QUnit setup. Note that,
contrary to jQuery 3.x, AMD files need to be generated via `grunt amd` or
`grunt` as sources are not authored in ECMAScript modules. To achieve a similar
no-compile experience during jQuery 4.x testing, use the new "Load as modules"
checkbox which works in all supported browsers except for IE & Edge (the
legacy, EdgeHTML-based one).
Ref gh-4541
Closes gh-4554
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.
Fixes gh-4397
Closes gh-4558
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.
Interestingly, IE 10 & older don't seem to have the issue.
Fixes gh-4435
Closes gh-4510
Migrate all source AMD modules to ECMAScript modules. The final bundle
is compiled by a custom build process that uses Rollup under the hood.
Test files themselves are still loaded via RequireJS as that has to work in
IE 11.
Tests can now be run in "Load as modules" mode which replaces the previous
"Load with AMD" option. That option of running tests doesn't work in IE
and Edge as it requires support for dynamic imports.
Some of the changes required by the migration:
* check `typeof` of `noGlobal` instead of using the variable directly
as it's not available when modules are used
* change the nonce module to be an object as ECMASscript module exports
are immutable
* remove some unused exports
* import `./core/parseHTML.js` directly in `jquery.js` so that it's not
being cut out when the `ajax` module is excluded in a custom compilation
Closes gh-4541
Sizzle's PR jquery/sizzle#456 introduced a test catching not throwing on
badly-escaped identifiers by Firefox 3.6-5. Unfortunately, it was placed just
before a test Opera 10-11 failed, making Opera fail quicker and not adding
a post-comma invalid selector to rbuggyQSA.
The issue was fixed in jquery/sizzle#463. This jQuery commit backports the test
that Sizzle PR added as no workarounds are needed in browsers jQuery supports.
Closes gh-4516
Ref jquery/sizzle#456
Ref jquery/sizzle#463
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).
Fixes gh-4250
Closes gh-4379
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.
Fixes gh-4320
Closes gh-4459
`:even` & `:odd` are deprecated since jQuery 3.4.0 & will be removed in 4.0.0.
The new `even()` & `odd()` methods will make the migration easier.
Closes gh-4485
With new selector code doing less convoluted support tests, it was possible
to extract a lot of logic out of setDocument & also reduce size.
This commit also backports jquery/sizzle#439 that was reverted by mistake
during a switch from JSHint + JSCS to ESLint.
Closes gh-4462
Ref jquery/sizzle#442
Ref jquery/sizzle#439
Now that Sizzle is gone & we use npm, we can read from node_modules directly
and skip the setup that copies some files to the external directory.
Closes gh-4466
The `:scope` pseudo-class[1] has surprisingly good browser support: Chrome,
Firefox & Safari have supported if for a long time; only IE & Edge lack support.
This commit leverages this pseudo-class to get rid of the ID hack in most cases.
Adding a temporary ID may cause layout thrashing which was reported a few times
in [the past.
We can't completely eliminate the ID hack in modern browses as sibling selectors
require us to change context to the parent and then `:scope` stops applying to
what we'd like. But it'd still improve performance in the vast majority of
cases.
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/:scope
Fixes gh-4453
Closes gh-4454
Ref gh-4332
Ref jquery/sizzle#405
A copied comment line was accidentally left out above the line defining
`QUnit.jQuerySelectorsPos`, making the sentence nonsense. This commit removes
that line.
Closes gh-4458
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.
The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.
The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.
The commit reduces the gzipped jQuery size by 1460 bytes compared to master.
Closes gh-4395
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.
Closes gh-4406
Latest versions of all browsers now implement focusin & focusout natively
and they all converged on a common event order so it doesn't make much sense
for us to normalize it to a different order anymore.
Note that it means we no longer guarantee that focusin fires before focus
and focusout before blur.
Fixes gh-4300
Closes gh-4362
The camelCase implementation used by the data module no longer turns `-ms-foo`
into `msFoo` but to `MsFoo` now. This is because `data` is supposed to be
a generic utility not specifically bound to CSS use cases.
Fixes gh-3355
Closes gh-4365
Android Browser disregards td's box-sizing, treating it like it was content-box.
Unlike in IE, offsetHeight shares the same issue so there's no easy way to
workaround the issue without incurring high size penalty. Let's at least check
we get the size as the browser sees it.
Also, fix the nearby support comment syntax.
Closes gh-4335
Android Browser versions provided by BrowserStack fail the "prototype collision
(constructor)" test while locally fired emulators don't, even when they connect
to TestSwarm. Just skip the test there to avoid a red build.
Closes gh-4334
Summary of the changes/fixes:
1. Trigger checkbox and radio click events identically (cherry-picked from
b442abacbb that was reverted before).
2. Manually trigger a native event before checkbox/radio handlers.
3. Add test coverage for triggering namespaced native-backed events.
4. Propagate extra parameters passed when triggering the click event to
the handlers.
5. Intercept and preserve namespaced native-backed events.
6. Leverage native events for focus and blur.
7. Accept that focusin handlers may fire more than once for now.
Fixes gh-1741
Fixes gh-3423
Fixes gh-3751
Fixes gh-4139
Closes gh-4279
Ref gh-1367
Ref gh-3494
So far, we've been testing that jQuery element iteration works with polyfilled
Symbol & transpiled for-of via a Node test with jsdom with the Symbol global
removed. Unfortunately, jsdom now requires Symbol to be present for its internal
functionality so such a test is no longer possible. Instead, it's been migrated
to an iframe test with transpiled JavaScript.
This PR also enables us to use ECMAScript 2017 or newer in Node.js code.
Closes gh-4305
We had quite a few obsolete globals declared in various ESLint config files. We also no longer allow to rely on the `noGlobal` & `jQuery` globals in the built file which is not needed.
Closes gh-4301
Also, run `grunt npmcopy` to sync the "external" directory with dependencies
from package.json. For example, the Sinon library version didn't match.
Ref gh-4234
Closes gh-4297
PR #3869 added support for `<script type="module">` & some support for
the `nomodule` attribute but with no tests for `nomodule` and with the
attribute only respected on inline scripts. This commit adds support for
source-based scripts as well. It also adds tests for `nomodule`, including
making sure legacy browsers execute such scripts as they'd natively do - that's
the whole point of `nomodule` scripts, after all.
Fixes gh-4281
Closes gh-4282
Ref gh-3871
Ref gh-3869
Old iOS & Android Browser versions support script-src but not nonce, making the
nonce test impossible to run. Browsers not supporting CSP at all are not
a problem as they'll skip script-src restrictions completely.
Ref gh-3541
Ref gh-4269
Ref c7c2855ed1