Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.
Ref gh-4764
Closes gh-4871
(cherry picked from a70274632d)
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
"text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
query string parameter
Closes gh-4824
Ref gh-2432
Ref gh-2588
Ref 39cdb8c9aa
(cherry picked from commit d38528b17a)
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties
Fixes gh-4529
Closes gh-4807
Legacy Edge, similarly to IE, doesn't report XML parsing errors but just tries
to render the invalid document. Skip the error reporting test there, Edge Legacy
will return a generic "Invalid XML" error, just like IE.
Ref gh-4816
Changes:
* Remove incorrect `QUnit.testUnlessIE` usage as that util is only available
on `master`, not here.
* Change `firstCall.lastArg` to `firstCall.args[ 0 ]` as the former API is not
available in older Sinon versions.
If during a focus handler another focus event is triggered:
```js
elem1.on( "focus", function() {
elem2.trigger( "focus" );
} );
```
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Fixes gh-4382
Closes gh-4813
Ref gh-4279
(cherry picked from commit dbcffb396c)
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.
Fixes gh-4417
Closes gh-4799
(cherry picked from commit 5c2d08704e)
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```
Closes gh-4764
Ref gh-4754
(cherry picked from commit df6858df2e)
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.
This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.
Closes gh-4779
(cherry picked from commit c18dc49699)
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.
This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.
Fixes gh-4771
Closes gh-4773
(cherry picked from commit a1e619b03a)
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.
Ref gh-4685
Closes gh-4694
(cherry picked from commit 11066a9e6a)
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```
There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.
This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.
Closes gh-4687
(cherry picked from commit 7b0864d053)
The change in gh-4603 made the object returned by `elem.data()`
a prototype-less object. That's a desired change to support keys
colliding with `Object.prototype` properties but it's also a breaking
change so it has to wait for jQuery 4.0.0.
A 3.x-only test was added to avoid breaking it in the future on this
branch.
Fixes gh-4665
Ref gh-4603
Closes gh-4666
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).
(cherry picked from 50871a5a85)
Fixes gh-4250
Fixes gh-4655
Closes gh-4379
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".
Fixes gh-4119
Closes gh-4650
(cherry picked from 7fb90a6bea)
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
The main part of the test was checking that focusin handling in an iframe works
and that's still checked. The test was also checking that it doesn't propagate
to the parent document, though, and, apparently, in IE it does. This one test
is now blacklisted in IE.
The `doc` variable in:
https://github.com/jquery/jquery/blob/3.4.1/src/event/focusin.js#L30
matched `document` for `document` & `window` for `window`, creating two
separate wrapper event handlers & calling handlers twice if at least one
`focusout` or `focusin` handler was attached on *both* `window` & `document`,
or on `window` & another regular node.
Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5a - the commit that
introduced the regression - to make sure we don't regress on either front.
Fixes gh-4652
Closes gh-4656
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.
Fixes gh-3256
Closes gh-4603
(cherry picked from commit 9d76c0b163)
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.
Closes gh-4615
(cherry picked from commit 4a7fc8544e)
It is no longer needed to create `done` wrappers in tests that require
multiple async operations to complete.
Closes gh-4633
(cherry picked from commit 364476c3dc)
1. Support passing custom document to jQuery.globalEval; the script will be
invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
this was already supported & tested for inline scripts but not for external
ones.
Fixes gh-4518
Closes gh-4601
(cherry picked from commit 4592595b47)
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The 4.0 (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Apart from that, add intuitive names to Travis jobs. Otherwise it's hard to see
at a glance that a particular job is running on Firefox ESR, for example.
Ref gh-4577
Ref gh-4596
Closes gh-4600
Also, run such a suite in CI to make sure modules are working as expected
when used directly.
(partially cherry picked from 341c6d1b5a)
(partially cherry picked from 437f389a24)
Closes gh-4595
Ref gh-4550
Ref gh-4574
With Microsoft going Chromium with Edge, its old EdgeHTML issues were all
removed. :(
The commit also reformats one manipulation unit test to use tabs instead
of spaces for indentation.
(partially cherry-picked from 1dad1185e0)
Closes gh-4584
The check for old Firefox versions with different support test result only
checked for Firefox 52 or 60. It now checks for 4x/5x/60 to understand more
versions.
Closes gh-4583
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.
(cherry picked from d5c505e35d)
Fixes gh-4397
Closes gh-4558
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.
(cherry picked from 9df4f1de12)
Fixes gh-4320
Closes gh-4459
`:even` & `:odd` are deprecated since jQuery 3.4.0 & will be removed in 4.0.0.
The new `even()` & `odd()` methods will make the migration easier.
Closes gh-4485
(cherry picked from commit 78420d427c)
Android was catching the generic iOS regex. Checking for Android first should
eliminate that issue as iOS user agents don't contain the word "Android".
Putting Safari last makes Android UAs not be tested against it.
The regexes detecting browsers with their versions have been updated for iOS
and Safari so that all iOS >=11 & all Safari (desktop) >= 11 are recognized.
This is required to make Safari 13 & iOS 13 pass support tests but it'll also
make tests forward-compatible with future Safari/iOS versions.
Closes gh-4488
This commit also backports some jQuery.isXMLDoc tests from master so that this
behavior doesn't regress.
(partially cherry-picked from 79b74e043a)
Closes gh-4438
Ref jquery/sizzle#378
Ref jquery/sizzle#436
The test for Shadow DOM v1 support has been changed to rely on the presence of
`documentElement.getRootNode` as iOS 10.0-10.2 supports `attachShadow` but
doesn't support `getRootNode`.
No new test is necessary - iOS 10.0 fails lots of our test suite because of
this bug.
Fixes gh-4356
Closes gh-4360
Android Browser disregards td's box-sizing, treating it like it was content-box.
Unlike in IE, offsetHeight shares the same issue so there's no easy way to
workaround the issue without incurring high size penalty. Let's at least check
we get the size as the browser sees it.
Also, fix the nearby support comment syntax.
Closes gh-4335
Android Browser versions provided by BrowserStack fail the "prototype collision
(constructor)" test while locally fired emulators don't, even when they connect
to TestSwarm. Just skip the test there to avoid a red build.
Closes gh-4334
Summary of the changes/fixes:
1. Trigger checkbox and radio click events identically (cherry-picked from
b442abacbb that was reverted before).
2. Manually trigger a native event before checkbox/radio handlers.
3. Add test coverage for triggering namespaced native-backed events.
4. Propagate extra parameters passed when triggering the click event to
the handlers.
5. Intercept and preserve namespaced native-backed events.
6. Leverage native events for focus and blur.
7. Accept that focusin handlers may fire more than once for now.
Fixes gh-1741
Fixes gh-3423
Fixes gh-3751
Fixes gh-4139
Closes gh-4279
Ref gh-1367
Ref gh-3494
So far, we've been testing that jQuery element iteration works with polyfilled
Symbol & transpiled for-of via a Node test with jsdom with the Symbol global
removed. Unfortunately, jsdom now requires Symbol to be present for its internal
functionality so such a test is no longer possible. Instead, it's been migrated
to an iframe test with transpiled JavaScript.
This PR also enables us to use ECMAScript 2017 or newer in Node.js code.
Closes gh-4305
We had quite a few obsolete globals declared in various ESLint config files. We also no longer allow to rely on the `noGlobal` & `jQuery` globals in the built file which is not needed.
Closes gh-4301
Also, run `grunt npmcopy` to sync the "external" directory with dependencies
from package.json. For example, the Sinon library version didn't match.
Ref gh-4234
Closes gh-4297
PR #3869 added support for `<script type="module">` & some support for
the `nomodule` attribute but with no tests for `nomodule` and with the
attribute only respected on inline scripts. This commit adds support for
source-based scripts as well. It also adds tests for `nomodule`, including
making sure legacy browsers execute such scripts as they'd natively do - that's
the whole point of `nomodule` scripts, after all.
Fixes gh-4281
Closes gh-4282
Ref gh-3871
Ref gh-3869
Old iOS & Android Browser versions support script-src but not nonce, making the
nonce test impossible to run. Browsers not supporting CSP at all are not
a problem as they'll skip script-src restrictions completely.
Ref gh-3541
Ref gh-4269
Ref c7c2855ed1
- getResponseHeader(key) combines all header values for the provided key into a
single result where values are concatenated by ', '. This does not happen for
IE11 since multiple values for the same header are returned on separate lines.
This makes the function only return the last value of the header for IE11.
- Updated ajax headers test to better cover Object.prototype collisions
Close gh-4173
Fixes gh-3403
Current width/height cssHook reads the computed position style even if not
necessary as the browser passes the scrollboxSize support test. That has been
changed.
This commit also makes the scrollboxSize support test in line with all others
(i.e. only return true or false) and changes the variable name in the hook
to make the code clearer.
Fixes gh-4185
Closes gh-4187
The user agent of the iPad with iOS 11.3 on BrowserStack is missing the "iPhone"
part in the "iPhone OS 11_3" part. This commit makes the iOS regex accept such
(probably?) malformed UAs.
Edge sometimes doesn't execute module scripts. It needs to be investigated why
but for now, we're skipping the test to make our tests more stable.
Closes gh-4140
In Edge 14-16 setting a style property to a whitespace-only value resets it to
the default, forcing us to skip a relevant CSS test in Edge. Now that Edge 17
has fixed the issue we can re-enable this test there.
Ref gh-3204
Closes gh-4101
A whitelist is available so that some tests can be allowed to always succeed.
This is used only for ajax for now as it can be manually disabled in IE but
is enabled by default.
Closes gh-4052
