Commit Graph

4343 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
de5398a6ad
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.

One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.

No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.

The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.

See https://web.dev/trusted-types/ for more information about TrustedHTML.

Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
2021-09-30 16:00:24 +02:00
fecore1
efadfe991a
CSS: Trim whitespace surrounding CSS Custom Properties values
The spec has recently changed and CSS Custom Properties values are trimmed now.
This change makes jQuery polyfill that new behavior for all browsers.

Ref w3c/csswg-drafts#774
Fixes gh-4926
Closes gh-4930
2021-09-23 13:35:18 +02:00
Michał Gołębiowski-Owczarek
2f8f39e457
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.

Fixes gh-4904
Closes gh-4906
2021-07-19 19:04:23 +02:00
Michał Gołębiowski-Owczarek
e539bac79e
Event: Don't break focus triggering after .on(focus).off(focus)
The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:

```js
elem.on( "focus", function() {} ).off( "focus" );
```

make subsequent `.trigger( "focus" )` calls to not do any triggering.

The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).

Fixes gh-4867
Closes gh-4885
2021-05-10 18:59:14 +02:00
Timmy Willison
09f254361f
Support: ensure display is set to block for the support div
* Support: ensure display is set to block for the support div

- Fixes an issue with the support test in iframes in Android 8 Chrome 86+,
  where display: inline resulted in unexpected height values.

Close gh-4845
Fixes gh-4832
2021-02-17 16:19:04 -05:00
Michał Gołębiowski-Owczarek
025da4dd34
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.

After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.

Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
2021-01-26 15:58:29 +01:00
Michał Gołębiowski-Owczarek
a32cf6324f
Deferred: Rename master to primary
Closes gh-4828
2021-01-12 20:56:51 +01:00
Timmy Willison
3bbbc11111
Dimensions: Add offset prop fallback to FF for unreliable TR dimensions
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties

Fixes gh-4529
Closes gh-4808
2021-01-11 11:56:08 -05:00
Michał Gołębiowski-Owczarek
8969732518
Core: Report browser errors in parseXML
Fixes gh-4784
Closes gh-4816
2020-12-08 11:22:21 +01:00
Michał Gołębiowski-Owczarek
fd421097c5
Core: Make jQuery.isXMLDoc accept falsy input
Fixes gh-4782
Closes gh-4814
2020-12-07 21:09:15 +01:00
Michał Gołębiowski-Owczarek
dbcffb396c
Event: Make focus re-triggering not focus the original element back
If during a focus handler another focus event is triggered:

```js
elem1.on( "focus", function() {
	elem2.trigger( "focus" );
} );
```

due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.

This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.

A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.

Fixes gh-4382
Closes gh-4813
Ref gh-4279
2020-12-07 20:28:44 +01:00
Michał Gołębiowski-Owczarek
5c2d08704e
Event: Don't crash if an element is removed on blur
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.

Fixes gh-4417
Closes gh-4799
2020-10-19 21:17:51 +02:00
Michał Gołębiowski-Owczarek
e35fb62db4
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.

Also, clean up some comments & remove some obsolete workarounds.

Fixes gh-4568
Closes gh-4792
2020-09-22 17:49:28 +02:00
高灰
15ae361485
Manipulation: Respect script crossorigin attribute in DOM manipulation
Fixes gh-4542
Closes gh-4563

Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-09-22 17:30:18 +02:00
Michał Gołębiowski-Owczarek
8612018d4e
Build: Make the import/no-unused-modules ESLint rule work in WebStorm
When run via WebStorm, the root path against which paths in the config of the
`import/no-unused-modules` ESLint rule are resolved is the path where the ESLint
config file that defines the rule lies, i.e. `src`. When run via the command
line, it's usually the root folder of the jQuery repository. This pattern
intends to catch both.

Note that we cannot specify two patterns here:
```js
[ "src/*.js", "*.js" ]
```
as they're analyzed individually and the rule crashes if a pattern cannot be
matched.

Closes gh-4777
2020-09-02 17:24:55 +02:00
Michał Gołębiowski-Owczarek
a4421101fd
Attributes: Drop the toggleClass(boolean|undefined) signature
The behavior of this signature is not intuitive, especially if classes are
manipulated via other ways between `toggleClass` calls.

Fixes gh-3388
Closes gh-4766
2020-09-01 10:42:03 +02:00
Michał Gołębiowski-Owczarek
68b4ec59c8
Ajax: Make responseJSON work for erroneous same-domain JSONP requests
Don't use a script tag for JSONP requests unless for cross-domain requests
or if scriptAttrs are provided. This makes the `responseJSON` property available
in JSONP error callbacks.

This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made
erroneous script responses to not be executed to follow native behavior.

The 3.x-stable branch doesn't need this fix as it doesn't use script tags for
regular async requests.

Closes gh-4778
Ref gh-4771
Ref gh-4773
Ref gh-4379
2020-09-01 00:02:44 +02:00
Michał Gołębiowski-Owczarek
1a5fff4c16
Event: Remove the event.which shim
All supported browsers implement this property by themselves. The shim was only
needed for IE <9.

Fixes gh-3235
Closes gh-4765
Ref gh-4755
2020-08-26 14:10:33 +02:00
Dallas Fraser
a1e619b03a
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.

This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.

Fixes gh-4771
Closes gh-4773
2020-08-25 21:41:06 +02:00
Michał Gołębiowski-Owczarek
07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00
Michał Gołębiowski-Owczarek
e7b3bc488d
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
2020-07-27 19:15:57 +02:00
Michał Gołębiowski-Owczarek
9c98e4e86e
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.

The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.

IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.

All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.

Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2020-06-10 16:13:22 +02:00
Michał Gołębiowski-Owczarek
40c3abd0ab
Build:Event: Make sure all source modules' exports are used (#4648)
To achieve that, use `eslint-plugin-import`'s `no-unused-modules` rule.

Also, explicitly import `event/trigger.js` from `jquery.js`; so far it was
only imported from ajax.js, making it mistakenly skipped in the
`custom:slim,-deprecated` build.
2020-06-02 13:45:08 +02:00
Michał Gołębiowski-Owczarek
0b676ae12d
Deprecated: Remove jQuery.trim
The API has been deprecated in 3.5.0 so it can be removed in 4.0.0.

Ref gh-4461
Closes gh-4695
2020-05-18 23:20:38 +02:00
Michał Gołębiowski-Owczarek
ef4d6ca6c3
Build: Update eslint-config-jquery, fix linting violations
Closes gh-4696
Ref jquery/eslint-config-jquery#15
Ref jquery/eslint-config-jquery#16
2020-05-18 22:25:49 +02:00
Michał Gołębiowski-Owczarek
11611967ad
Docs: Change JS Foundation mentions to OpenJS Foundation
Closes gh-4711
2020-05-18 18:41:32 +02:00
Michał Gołębiowski-Owczarek
55cd3a4436
Build: Followups after introducing ES modules compiled via Rollup
This commit cleans up a few comments & configurations that are out of date
after the migration to ES modules backed by a Rollup-based compilation.

Also, de-indent AMD modules. This will preserve a more similar
structure to the one on 3.x-stable where the body of the main `define`
wrapper is not indented.

Closes gh-4705
2020-05-05 14:30:14 +02:00
Michał Gołębiowski-Owczarek
297d18dd13
CSS: Include show, hide & toggle methods in the jQuery slim build
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.

To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.

Closes gh-4704
Ref jquery/jquery-migrate#346
2020-05-05 14:16:41 +02:00
Wonseop Kim
3d62d57049
Build: Correct code indentations based on jQuery Style Guide
1. Correct code indentations based on jQuery Style Guide
   (contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
   indentation", with minimal changes to the current code.

Closes gh-4672
2020-05-05 10:49:27 +02:00
Ed S
34296ec547
Build: Move ESLint max-len disable-directive to dist/.eslintrc.json
This disable-directive only applies to the built version, so put
it in /dist. This avoids a warning about an unused directive in the
source version.

Closes gh-4676
2020-04-27 21:29:13 +02:00
Christian Wenz
7fb90a6bea
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".

Fixes gh-4119
Closes gh-4650

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-04-06 21:15:55 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
9d76c0b163
Data:Event:Manipulation: Prevent collisions with Object.prototype
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.

Fixes gh-3256
Closes gh-4603
2020-03-02 23:02:42 +01:00
Michał Gołębiowski-Owczarek
4a7fc8544e
Build: Enable ESLint one-var rule for var declarations in browser code
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.

Closes gh-4615
2020-03-02 22:25:35 +01:00
Michał Gołębiowski-Owczarek
4592595b47
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
   invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
   this was already supported & tested for inline scripts but not for external
   ones.

Fixes gh-4518
Closes gh-4601
2020-02-10 19:17:22 +01:00
Michał Gołębiowski-Owczarek
18db87172c
Event: remove jQuery.event.global
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de0
when fixing the trac-12989 bug.

Closes gh-4602
2020-02-10 19:13:09 +01:00
Michał Gołębiowski-Owczarek
23d53928f3
Ajax: Deprecate AJAX event aliases, inline event/alias into deprecated
A new `src/deprecated` directory makes it possible to exclude some deprecated
APIs from a custom build when their respective "parent" module is excluded
without keeping that module outside of the `src/deprecated` directory or
the `src/deprecated.js` file.

Closes gh-4572
2020-01-21 14:12:35 +01:00
Michał Gołębiowski-Owczarek
865469f5e6
CSS: Remove the opacity CSS hook
The consequence is `.css( "opacity" )` will now return an empty string for
detached elements in standard-compliant browsers and "1" in IE & the legacy
Edge. That behavior is shared by most other CSS properties which we're not
normalizing either.

Closes gh-4593
2020-01-21 14:11:06 +01:00
Michał Gołębiowski-Owczarek
ff2819911d
Attributes: Refactor val(): don't strip carriage return, isolate IE workarounds
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.

This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.

Closes gh-4585
2020-01-13 19:25:01 +01:00
Michał Gołębiowski-Owczarek
9e66fe9acf
Attributes: Don't set the type attr hook at all outside of IE
This removes a needless function call in modern browsers.

Closes gh-4587
2020-01-13 19:22:08 +01:00
Michał Gołębiowski-Owczarek
0f780ba7cc
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:

1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`

It also adds separate Travis jobs for the no-deprecated & slim builds. 

Closes gh-4577
2020-01-07 23:59:08 +01:00
Michał Gołębiowski-Owczarek
c1ee33aded
Selector: Remove the "a:enabled" workaround for Chrome <=77
Remove the workaround for a broken `:enabled` pseudo-class on anchor elements
in Chrome <=77. These versions of Chrome considers anchor elements with the
`href` attribute as matching `:enabled`.

Closes gh-4569
2019-12-16 19:43:38 +01:00
Michał Gołębiowski-Owczarek
d5c505e35d
Event: Only attach events to objects that accept data - for real
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.

Fixes gh-4397
Closes gh-4558
2019-12-09 19:50:14 +01:00
Michał Gołębiowski-Owczarek
44ac8c8529
Build: Require extensions for ES6 imports, prevent import cycles
jQuery source is now authored in ECMAScript modules. Native browser support
for them requires full file names including extensions. Rollup works even
if import paths don't specify extensions, though, so one import slipped
through without such an extension, breaking native browser import of
src/jquery.js.

A new ESLint rule using eslint-plugin-import prevents us from regressing
on that front.

Also, eslint-plugin-import's no-cycle rule is used to avoid import cycles.

Closes gh-4544
Ref gh-4541
Ref 075320149a
2019-11-25 20:16:53 +01:00
Michał Gołębiowski-Owczarek
075320149a Build: Fix the import path to serialize.js from ajax.js 2019-11-19 15:18:27 +01:00
Michał Gołębiowski-Owczarek
05184cc448
Selector: Make empty attribute selectors work in IE again
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.

Interestingly, IE 10 & older don't seem to have the issue.

Fixes gh-4435
Closes gh-4510
2019-11-18 22:10:55 +01:00
Michał Gołębiowski-Owczarek
d0ce00cdfa
Core: Migrate from AMD to ES modules 🎉
Migrate all source AMD modules to ECMAScript modules. The final bundle
is compiled by a custom build process that uses Rollup under the hood.

Test files themselves are still loaded via RequireJS as that has to work in
IE 11.

Tests can now be run in "Load as modules" mode which replaces the previous
"Load with AMD" option. That option of running tests doesn't work in IE
and Edge as it requires support for dynamic imports.

Some of the changes required by the migration:
* check `typeof` of `noGlobal` instead of using the variable directly
  as it's not available when modules are used
* change the nonce module to be an object as ECMASscript module exports
  are immutable
* remove some unused exports
* import `./core/parseHTML.js` directly in `jquery.js` so that it's not
  being cut out when the `ajax` module is excluded in a custom compilation

Closes gh-4541
2019-11-18 21:15:03 +01:00
Michał Gołębiowski-Owczarek
15750b0af2
Selector: Use shallow document comparisons in uniqueSort
IE/Edge sometimes crash when comparing documents between frames using the strict
equality operator (`===` & `!==`). Funnily enough, shallow comparisons
(`==` & `!=`) work without crashing.

The change to shallow comparisons in `src/selector.js` was done in gh-4471 but
relevant changes in `src/selector/uniqueSort.js` were missed. Those changes
have landed in Sizzle in jquery/sizzle#459.

Fixes gh-4441
Closes gh-4512
Ref gh-4471
Ref jquery/sizzle#459
2019-10-21 19:04:48 +02:00
Michał Gołębiowski-Owczarek
f09d92100f
Docs: Update most URLs to HTTPS
Closes gh-4511
2019-10-21 19:03:48 +02:00
Michał Gołębiowski-Owczarek
26415e081b
CSS: Workaround buggy getComputedStyle on table rows in IE/Edge
Fixes gh-4490
Closes gh-4506
2019-10-14 18:41:35 +02:00
Michał Gołębiowski-Owczarek
ed66d5a22b
Selector: Make selectors with leading combinators use qSA again
An optimization added in jquery/sizzle#431 skips the temporary IDs for selectors
not using child or descendant combinators. For sibling combinators, though, this
pushes a selector with a leading combinator to qSA directly which crashes and
falls back to a slower Sizzle route.

This commit makes selectors with leading combinators not skip the selector
rewriting. Note that after jquery/jquery#4454 & jquery/sizzle#453, all modern
browsers other than Edge leverage the :scope pseudo-class, avoiding temporary
id attributes.

Closes gh-4509
Ref jquery/sizzle#431
2019-10-14 18:28:19 +02:00
Michał Gołębiowski-Owczarek
4504fc3d72
Manipulation:Selector: Use the nodeName util where possible to save size
Saves 20 bytes.

Closes gh-4504
2019-10-08 22:41:59 +02:00
Sean Robinson
50871a5a85 Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).

Fixes gh-4250
Closes gh-4379
2019-09-26 02:43:30 +02:00
Ahmed.S.ElAfifi
9df4f1de12 Core: Use Array.prototype.flat where supported
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.

Fixes gh-4320
Closes gh-4459
2019-09-25 01:38:21 +02:00
Michał Gołębiowski-Owczarek
aa6344baf8
Selector: Use shallow document comparisons to avoid IE/Edge crashes
IE/Edge sometimes crash when comparing documents between frames using the strict
equality operator (`===` & `!==`). Funnily enough, shallow comparisons
(`==` & `!=`) work without crashing.

Fixes gh-4441
Closes gh-4471
2019-09-25 00:41:07 +02:00
Michał Gołębiowski-Owczarek
b59107f5d7
Core: Remove private copies of push, sort & splice from the jQuery prototype
Closes gh-4473
2019-09-24 02:12:36 +02:00
Michał Gołębiowski-Owczarek
78420d427c
Core: Implement .even() & .odd() to replace POS :even & :odd
`:even` & `:odd` are deprecated since jQuery 3.4.0 & will be removed in 4.0.0.
The new `even()` & `odd()` methods will make the migration easier.

Closes gh-4485
2019-09-24 02:04:53 +02:00
Michał Gołębiowski-Owczarek
f810080e8e Deprecated: Fix AMD parameter order
Ref gh-4461
2019-08-31 01:40:45 +02:00
Michał Gołębiowski-Owczarek
29a9544a4f
Selector: reduce size, simplify setDocument
With new selector code doing less convoluted support tests, it was possible
to extract a lot of logic out of setDocument & also reduce size.

This commit also backports jquery/sizzle#439 that was reverted by mistake
during a switch from JSHint + JSCS to ESLint.

Closes gh-4462
Ref jquery/sizzle#442
Ref jquery/sizzle#439
2019-08-26 19:15:53 +02:00
Michał Gołębiowski-Owczarek
abdc89ac2e
Ajax: Simplify jQuery.ajaxSettings.xhr
Previously, jQuery.ajaxSettings.xhr, contents were wrapped in a try-catch
as we defined jQuery.support.ajax & jQuery.support.cors executed during the
jQuery load and we didn't want to crash if IE had native XHR disabled (which
is possible). While jQuery hasn't supported the ActiveX-based XHR since 2.0,
jQuery with XHR disabled could still be used for its other features in such
a crippled browser.

Since gh-4347, jQuery.support.ajax & jQuery.support.cors no longer exist, so
we don't need the try-catch anymore.

Fixes gh-1967
Closes gh-4467
Ref gh-4347
2019-08-26 19:01:26 +02:00
Shashanka Nataraj
5ea5946094 Core: Deprecate jQuery.trim
Fixes gh-4363
Closes gh-4461
2019-08-22 02:06:26 +02:00
Michał Gołębiowski-Owczarek
df6a7f7f0f
Selector: Leverage the :scope pseudo-class where possible
The `:scope` pseudo-class[1] has surprisingly good browser support: Chrome,
Firefox & Safari have supported if for a long time; only IE & Edge lack support.
This commit leverages this pseudo-class to get rid of the ID hack in most cases.
Adding a temporary ID may cause layout thrashing which was reported a few times
in [the past.

We can't completely eliminate the ID hack in modern browses as sibling selectors
require us to change context to the parent and then `:scope` stops applying to
what we'd like. But it'd still improve performance in the vast majority of
cases.

[1] https://developer.mozilla.org/en-US/docs/Web/CSS/:scope

Fixes gh-4453
Closes gh-4454
Ref gh-4332
Ref jquery/sizzle#405
2019-08-19 18:41:03 +02:00
Michał Gołębiowski-Owczarek
cef4b73179
Selector: Bring back querySelectorAll shortcut usage
Due to a faulty IE 8 workaround removal, the fast path qSA mode was skipped
when jQuery's find was called on an element node - i.e. in most cases. 😱

Ref gh-4395
Closes gh-4452
2019-08-09 12:42:05 +02:00
Michał Gołębiowski-Owczarek
47835965bd Selector: Inline Sizzle into the selector module
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.

The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.

The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.

The commit reduces the gzipped jQuery size by 1460 bytes compared to master.

Closes gh-4395
2019-07-29 21:19:21 +02:00
Michał Gołębiowski-Owczarek
79b74e043a
Selector: Port Sizzle tests to jQuery
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.

Closes gh-4406
2019-06-26 21:39:10 +02:00
Michał Gołębiowski-Owczarek
438b1a3e8a
Build: ESLint: forbid unused function parameters
This commit requires all function parameters to be used, not just the last one.
In cases where that's not possible as we need to match an external API, there's
an escape hatch of prefixing an unused argument with `_`.

This change makes it easier to catch unused AMD dependencies and unused
parameters in internal functions the API of which we may change at will, among
other things.

Unused AMD dependencies have been removed as part of this commit.

Closes gh-4381
2019-05-13 22:25:11 +02:00
Michał Gołębiowski-Owczarek
3527a38405
Core: Remove IE-specific support tests, rely on document.documentMode
Also, update some tests to IE-sniff when deciding whether
to skip a test.

Fixes gh-4386
Closes gh-4387
2019-05-13 21:39:56 +02:00
Michał Gołębiowski-Owczarek
ccbd6b9342
Traversing: Fix contents() on <object>s with children in IE
The original fix didn't account for the fact that in IE `<object>` elements
with no `data` attribute have an object `contentDocument`. The fix leverages
the fact that this special object has a null prototype.

Closes gh-4390
Ref gh-4384
Ref gh-4385
2019-05-08 10:12:36 +02:00
Pat O'Callaghan
4d865d96aa Traversing: Fix contents() on <object>s with children
Fixes gh-4384
Closes gh-4385
2019-05-06 19:23:00 +02:00
Wonseop Kim
110802c7f2 Effect: Fix a unnecessary conditional statement in .stop()
Because of the above conditional, the 'type' variable has a value of type
'string' or undefined. Therefore, boolean comparisons for 'type' variable
is always unnecessary because it return true. The patch removed the
unnecessary conditional statement.

Fixes gh-4374
Closes gh-4375
2019-05-01 14:57:55 +02:00
Michał Gołębiowski-Owczarek
b220f6df88
Build: Fix AMD dependencies in curCSS
A leftover `rboxStyle` was left in the wrapper parameters but not in the
dependency array, causing `getStyles` to be undefined in AMD mode.

Since `rboxStyle` is no longer used, it's now removed.

Ref gh-4347
Closes gh-4380
2019-04-30 21:21:18 +02:00
Michał Gołębiowski-Owczarek
cf84696fd1
Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS
Also, update support comments format to match format described in:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197
with the change from:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379
(open-ended ranges end with `+`).

Fixes gh-3950
Fixes gh-4299
Closes gh-4347
2019-04-29 22:56:09 +02:00
Michał Gołębiowski-Owczarek
58f0c00bed
Core: Remove deprecated jQuery APIs
Fixes gh-4056
Closes gh-4364
2019-04-29 22:04:52 +02:00
Michał Gołębiowski-Owczarek
8a74137693
Event: Stop shimming focusin & focusout events
Latest versions of all browsers now implement focusin & focusout natively
and they all converged on a common event order so it doesn't make much sense
for us to normalize it to a different order anymore.

Note that it means we no longer guarantee that focusin fires before focus
and focusout before blur.

Fixes gh-4300
Closes gh-4362
2019-04-29 21:13:36 +02:00
Michał Gołębiowski-Owczarek
8fae21200e
Data: Separate data & css/effects camelCase implementations
The camelCase implementation used by the data module no longer turns `-ms-foo`
into `msFoo` but to `MsFoo` now. This is because `data` is supposed to be
a generic utility not specifically bound to CSS use cases.

Fixes gh-3355
Closes gh-4365
2019-04-29 21:06:53 +02:00
Richard Gibson
eb6c0a7c97 Event: Prevent leverageNative from registering duplicate dummy handlers
(cherry-picked from 6c1e7dbf73)

Closes gh-4353
2019-04-29 20:50:00 +02:00
Richard Gibson
ddfa837664 Event: Fix handling of multiple async focus events
(cherry-picked from 24d71ac704)

Fixes gh-4350
Closes gh-4354
2019-04-29 20:49:30 +02:00
Michał Gołębiowski-Owczarek
874030583c
Build: Fix unresolved jQuery reference in finalPropName
Also, prevent further similar breakages by changing our ESLint configuration
to disallow relying on a global jQuery object in AMD modules.

Fixes gh-4358
Closes gh-4361
2019-04-17 19:56:25 +02:00
Michał Gołębiowski-Owczarek
00a9c2e5f4 CSS: Don't automatically add "px" to properties with a few exceptions
Fixes gh-2795
Closes gh-4055
Ref gh-4009
2019-04-08 19:26:08 +02:00
buddh4
005040379d Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation
Fixes gh-4323
Closes gh-4328
2019-03-25 18:14:24 +01:00
Richard Gibson
fe5f04de8f Event: Prevent leverageNative from double-firing focusin
Also, reduce size.

Closes gh-4329
Ref gh-4279
2019-03-25 18:12:08 +01:00
Michał Gołębiowski-Owczarek
753d591aea
Core: Prevent Object.prototype pollution for $.extend( true, ... )
Closes gh-4333
2019-03-25 17:57:30 +01:00
Richard Gibson
669f720edc Event: Leverage native events for focus/blur/click; propagate additional data
Summary of the changes/fixes:
1. Trigger checkbox and radio click events identically (cherry-picked from
   b442abacbb that was reverted before).
2. Manually trigger a native event before checkbox/radio handlers.
3. Add test coverage for triggering namespaced native-backed events.
4. Propagate extra parameters passed when triggering the click event to
   the handlers.
5. Intercept and preserve namespaced native-backed events.
6. Leverage native events for focus and blur.
7. Accept that focusin handlers may fire more than once for now.

Fixes gh-1741
Fixes gh-3423
Fixes gh-3751
Fixes gh-4139
Closes gh-4279
Ref gh-1367
Ref gh-3494
2019-03-20 16:40:16 +01:00
Michał Gołębiowski-Owczarek
a0abd15b9e
CSS: Avoid forcing a reflow in width/height getters unless necessary
Fixes gh-4322
Closes gh-4325
Ref gh-3991
Ref gh-4010
Ref gh-4185
Ref gh-4187
2019-03-18 18:44:43 +01:00
Michał Gołębiowski-Owczarek
c10945d0e1
Build: Remove obsolete globals from ESLint configuration
We had quite a few obsolete globals declared in various ESLint config files. We also no longer allow to rely on the `noGlobal` & `jQuery` globals in the built file which is not needed.

Closes gh-4301
2019-02-19 13:20:57 +01:00
Michał Gołębiowski-Owczarek
5bdc85b82b
Core: Support passing nonce through jQuery.globalEval
Fixes gh-4278
Closes gh-4280
Ref gh-3541
Ref gh-4269
2019-01-21 18:42:39 +01:00
Michał Gołębiowski-Owczarek
e4de8b4626
Manipulation: Respect script nomodule attribute in DOM manipulation
PR #3869 added support for `<script type="module">` & some support for
the `nomodule` attribute but with no tests for `nomodule` and with the
attribute only respected on inline scripts. This commit adds support for
source-based scripts as well. It also adds tests for `nomodule`, including
making sure legacy browsers execute such scripts as they'd natively do - that's
the whole point of `nomodule` scripts, after all.

Fixes gh-4281
Closes gh-4282
Ref gh-3871
Ref gh-3869
2019-01-21 18:34:40 +01:00
Michał Gołębiowski-Owczarek
c7c2855ed1
Core: Preserve CSP nonce on scripts in DOM manipulation
Fixes gh-3541
Closes gh-4269
2019-01-14 19:29:54 +01:00
Richard Gibson
13de7c9ede
Manipulation: Restore _evalUrl jQuery.ajax calls to dataType: script
IE and iOS <10 XHR transport does not succeed on data: URIs
Ref gh-4243
Ref gh-4126
Closes gh-4258
2018-12-13 12:54:39 -05:00
Richard Gibson
c2026b117d Manipulation: Only evaluate HTTP-successful script src
Fixes gh-4126
Closes gh-4243
2018-12-12 17:21:24 +01:00
Marja Hölttä
4ffb1df8e4 Core: Tiny efficiency fix to jQuery.extend / jQuery.fn.extend (#4246)
Read target[name] only when it's needed.

In addition to doing the property read-only when needed, this
avoids a slow path in V8 (see the issue for more details).

Fixes gh-4245
Closes gh-4246
2018-12-12 17:13:18 +01:00
Timmy Willison
315199c156
Dimensions: fall back to offsetWidth/Height for border-box in IE
- Use getClientRects() to explicitly detect hidden/disconnected
  elements

Close gh-4223
Fixes gh-4102
2018-11-27 14:28:59 -05:00
Andrei Fangli
e0d9411569 Ajax: Fix getResponseHeader(key) for IE11
- getResponseHeader(key) combines all header values for the provided key into a
single result where values are concatenated by ', '. This does not happen for
IE11 since multiple values for the same header are returned on separate lines.
This makes the function only return the last value of the header for IE11.
- Updated ajax headers test to better cover Object.prototype collisions

Close gh-4173
Fixes gh-3403
2018-11-26 12:00:41 -05:00
Saptak Sengupta
9b77def560 Core: Recognize Shadow DOM in attachment checks
Allow `isAttached` to check Shadow DOM for attachment.

Fixes gh-3504
Closes gh-3996
Ref gh-3977
2018-11-09 12:15:31 +01:00
Michał Gołębiowski-Owczarek
354f6036f2
CSS: Don't read styles.position in the width/height cssHook unless necessary
Current width/height cssHook reads the computed position style even if not
necessary as the browser passes the scrollboxSize support test. That has been
changed.

This commit also makes the scrollboxSize support test in line with all others
(i.e. only return true or false) and changes the variable name in the hook
to make the code clearer.

Fixes gh-4185
Closes gh-4187
2018-10-08 18:25:15 +02:00
Bert Zhang
f997241f00 CSS: Don't auto-append "px" to possibly-unitless CSS grid properties
This commit adds some CSS grid-related properties to jQuery.cssNumber.

Fixes gh-4007
2018-08-29 15:54:27 +02:00
Richard Gibson
979809c5a8
Manipulation: Properly detect HTML elements with single-character names
Fixes gh-4124
Closes gh-4125
2018-07-13 00:35:08 -04:00
Jason Bedard
e743cbd285
Dimensions: fix computing outerWidth on SVGs
Fixes gh-3964
Closes gh-4096
2018-06-20 22:09:29 -07:00
Timmy Willison
0645099e02
Serialize: jQuery.param: return empty string when given null/undefined
Fixes gh-2633
Close gh-4108
2018-06-20 12:07:44 -04:00
Ed S
dc05f3c1d5 Build: Remove unnecessary ESLint exception
The linked-to issue was fixed 2 years ago.

Closes gh-4095
2018-06-18 18:50:16 +02:00