Commit Graph

374 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
de5398a6ad
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.

One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.

No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.

The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.

See https://web.dev/trusted-types/ for more information about TrustedHTML.

Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
2021-09-30 16:00:24 +02:00
Michał Gołębiowski-Owczarek
1019074f7b
Tests: Don't remove csp.log in the cspClean action of mock.php
For some reason the current setup worked fine with Apache but broke for me when
I migrated to nginx.

Closes gh-4936
2021-09-30 00:08:47 +02:00
Michał Gołębiowski-Owczarek
d225639a8e Tests: Load the TestSwarm listener via HTTPS 2021-09-29 15:28:52 +02:00
Michał Gołębiowski-Owczarek
2f8f39e457
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.

Fixes gh-4904
Closes gh-4906
2021-07-19 19:04:23 +02:00
Timo Tijhof
482f846203
Tests: Switch background image from online file to local 1x1.jpg
Also, remove unused `expected` property in `css` test cases.

Closes gh-4866
2021-05-24 18:23:50 +02:00
Michał Gołębiowski-Owczarek
a70274632d
Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.

Ref gh-4764
Closes gh-4871
2021-04-13 22:13:48 +02:00
Michał Gołębiowski-Owczarek
345cd22e56
Build: Take core-js-bundle from the external directory as well
That package was missed in gh-4865 as it only broke browsers needing the
polyfill which is just IE at the moment. Thus, it broke Core tests in IE only.

Ref gh-4865
Closes gh-4870
2021-04-13 22:10:09 +02:00
高灰
15ae361485
Manipulation: Respect script crossorigin attribute in DOM manipulation
Fixes gh-4542
Closes gh-4563

Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-09-22 17:30:18 +02:00
Michał Gołębiowski-Owczarek
07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00
Michał Gołębiowski-Owczarek
e7b3bc488d
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
2020-07-27 19:15:57 +02:00
Michał Gołębiowski-Owczarek
d96111e18b
Tests: Remove remaining obsolete jQuery.cache references
PR gh-4586 removed some of those but not all.

Closes gh-4715
Ref gh-4586
2020-05-18 18:43:01 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
4592595b47
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
   invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
   this was already supported & tested for inline scripts but not for external
   ones.

Fixes gh-4518
Closes gh-4601
2020-02-10 19:17:22 +01:00
Michał Gołębiowski-Owczarek
18db87172c
Event: remove jQuery.event.global
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de0
when fixing the trac-12989 bug.

Closes gh-4602
2020-02-10 19:13:09 +01:00
Michał Gołębiowski-Owczarek
eb35be528f
Tests: Remove obsolete jQuery data tests
The tests relied on `jQuery.cache` so they only ever worked in jQuery 1.x.

Closes gh-4586
2020-01-13 19:23:01 +01:00
Michał Gołębiowski-Owczarek
0f780ba7cc
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:

1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`

It also adds separate Travis jobs for the no-deprecated & slim builds. 

Closes gh-4577
2020-01-07 23:59:08 +01:00
Michał Gołębiowski-Owczarek
341c6d1b5a
Build: Make Karma work in ES modules mode
Also, run such a suite in CI to make sure modules are working as expected
when used directly.

Closes gh-4550
2019-12-16 19:33:49 +01:00
Michał Gołębiowski-Owczarek
f37c2e51f3
Build: Auto-convert sources to AMD
jQuery source has been migrated in gh-4541 from AMD to ES modules. To maintain
support for consumers of our AMD modules, this commits adds a task transpiling
the ES modules sources in `src/` to AMD in `amd/`.

A "Load with AMD" checkbox was also restored to the QUnit setup. Note that,
contrary to jQuery 3.x, AMD files need to be generated via `grunt amd` or
`grunt` as sources are not authored in ECMAScript modules. To achieve a similar
no-compile experience during jQuery 4.x testing, use the new "Load as modules"
checkbox which works in all supported browsers except for IE & Edge (the
legacy, EdgeHTML-based one).

Ref gh-4541
Closes gh-4554
2019-12-09 20:00:44 +01:00
Michał Gołębiowski-Owczarek
05184cc448
Selector: Make empty attribute selectors work in IE again
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.

Interestingly, IE 10 & older don't seem to have the issue.

Fixes gh-4435
Closes gh-4510
2019-11-18 22:10:55 +01:00
Michał Gołębiowski-Owczarek
d0ce00cdfa
Core: Migrate from AMD to ES modules 🎉
Migrate all source AMD modules to ECMAScript modules. The final bundle
is compiled by a custom build process that uses Rollup under the hood.

Test files themselves are still loaded via RequireJS as that has to work in
IE 11.

Tests can now be run in "Load as modules" mode which replaces the previous
"Load with AMD" option. That option of running tests doesn't work in IE
and Edge as it requires support for dynamic imports.

Some of the changes required by the migration:
* check `typeof` of `noGlobal` instead of using the variable directly
  as it's not available when modules are used
* change the nonce module to be an object as ECMASscript module exports
  are immutable
* remove some unused exports
* import `./core/parseHTML.js` directly in `jquery.js` so that it's not
  being cut out when the `ajax` module is excluded in a custom compilation

Closes gh-4541
2019-11-18 21:15:03 +01:00
Michał Gołębiowski-Owczarek
f09d92100f
Docs: Update most URLs to HTTPS
Closes gh-4511
2019-10-21 19:03:48 +02:00
Michał Gołębiowski-Owczarek
1d624c10b4
Tests: Stop using jQuery.find in tests
This prepares us for possibly hiding jQuery.find in jQuery 4.0.

Closes gh-4517
2019-10-21 19:02:22 +02:00
Sean Robinson
50871a5a85 Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).

Fixes gh-4250
Closes gh-4379
2019-09-26 02:43:30 +02:00
Michał Gołębiowski-Owczarek
7bdf307b51
Tests: Fix a comment in testinit.js
A copied comment line was accidentally left out above the line defining
`QUnit.jQuerySelectorsPos`, making the sentence nonsense. This commit removes
that line.

Closes gh-4458
2019-08-19 18:36:21 +02:00
Michał Gołębiowski-Owczarek
47835965bd Selector: Inline Sizzle into the selector module
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.

The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.

The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.

The commit reduces the gzipped jQuery size by 1460 bytes compared to master.

Closes gh-4395
2019-07-29 21:19:21 +02:00
Michał Gołębiowski-Owczarek
79b74e043a
Selector: Port Sizzle tests to jQuery
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.

Closes gh-4406
2019-06-26 21:39:10 +02:00
Michał Gołębiowski-Owczarek
3527a38405
Core: Remove IE-specific support tests, rely on document.documentMode
Also, update some tests to IE-sniff when deciding whether
to skip a test.

Fixes gh-4386
Closes gh-4387
2019-05-13 21:39:56 +02:00
Michał Gołębiowski-Owczarek
cf84696fd1
Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS
Also, update support comments format to match format described in:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197
with the change from:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379
(open-ended ranges end with `+`).

Fixes gh-3950
Fixes gh-4299
Closes gh-4347
2019-04-29 22:56:09 +02:00
Michał Gołębiowski-Owczarek
2e4b79ab8f
Tests: Fix the core-js polyfill inclusion method
core-js 3 no longer includes a built file in the bundle but core-js-bundle
does.

Closes gh-4342
Ref gh-4341
2019-04-04 23:45:57 +02:00
buddh4
005040379d Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation
Fixes gh-4323
Closes gh-4328
2019-03-25 18:14:24 +01:00
Michał Gołębiowski-Owczarek
0ec25abba2
Build: Run the basic test suite in jsdom
The basic test suite is now run in jsdom on all supported Node.js versions
(8, 10 & 11 as of now).

Closes gh-4310
2019-03-11 20:03:54 +01:00
Michał Gołębiowski-Owczarek
84b6a0beb1
Build: Remove manual QUnit fixture resetting
It was needed when QUnit 1.x one used but we've since upgraded to QUnit 2.x.

Closes gh-4312
Ref gh-4307
2019-03-11 17:25:48 +01:00
Michał Gołębiowski-Owczarek
6ced2639b5
Build: Update QUnit from 1.23.1 to 2.9.2
Closes gh-4307
2019-03-04 20:10:21 +01:00
Michał Gołębiowski-Owczarek
9cb124ed00
Build: Update jsdom; migrate a test with Symbol polyfill to an iframe test
So far, we've been testing that jQuery element iteration works with polyfilled
Symbol & transpiled for-of via a Node test with jsdom with the Symbol global
removed. Unfortunately, jsdom now requires Symbol to be present for its internal
functionality so such a test is no longer possible. Instead, it's been migrated
to an iframe test with transpiled JavaScript.

This PR also enables us to use ECMAScript 2017 or newer in Node.js code.

Closes gh-4305
2019-03-04 18:30:51 +01:00
abnud1
c349818742 Build: Update test code for compatibility with QUnit 2.x (#4297)
Also, run `grunt npmcopy` to sync the "external" directory with dependencies
from package.json. For example, the Sinon library version didn't match.

Ref gh-4234
Closes gh-4297
2019-02-18 19:03:26 +01:00
Michał Gołębiowski-Owczarek
5bdc85b82b
Core: Support passing nonce through jQuery.globalEval
Fixes gh-4278
Closes gh-4280
Ref gh-3541
Ref gh-4269
2019-01-21 18:42:39 +01:00
Michał Gołębiowski-Owczarek
e4de8b4626
Manipulation: Respect script nomodule attribute in DOM manipulation
PR #3869 added support for `<script type="module">` & some support for
the `nomodule` attribute but with no tests for `nomodule` and with the
attribute only respected on inline scripts. This commit adds support for
source-based scripts as well. It also adds tests for `nomodule`, including
making sure legacy browsers execute such scripts as they'd natively do - that's
the whole point of `nomodule` scripts, after all.

Fixes gh-4281
Closes gh-4282
Ref gh-3871
Ref gh-3869
2019-01-21 18:34:40 +01:00
Michał Gołębiowski-Owczarek
c7c2855ed1
Core: Preserve CSP nonce on scripts in DOM manipulation
Fixes gh-3541
Closes gh-4269
2019-01-14 19:29:54 +01:00
Timmy Willison
315199c156
Dimensions: fall back to offsetWidth/Height for border-box in IE
- Use getClientRects() to explicitly detect hidden/disconnected
  elements

Close gh-4223
Fixes gh-4102
2018-11-27 14:28:59 -05:00
Timmy Willison
b8195fb94c
Tests: fix ajax test failure; add to header instead of replace 2018-11-26 12:46:58 -05:00
Andrei Fangli
e0d9411569 Ajax: Fix getResponseHeader(key) for IE11
- getResponseHeader(key) combines all header values for the provided key into a
single result where values are concatenated by ', '. This does not happen for
IE11 since multiple values for the same header are returned on separate lines.
This makes the function only return the last value of the header for IE11.
- Updated ajax headers test to better cover Object.prototype collisions

Close gh-4173
Fixes gh-3403
2018-11-26 12:00:41 -05:00
Richard Gibson
dfa92ccead
Tests: Allow Karma to load unminfied source
Closes gh-4128
2018-09-07 10:14:01 -04:00
Luis Emilio Velasco Sanchez
0ba8e38d0c Traversing: $.fn.contents() support for object
Fixes gh-4045
Closes gh-4046
2018-05-14 13:41:42 -04:00
Richard Gibson
821bf34353
CSS: Correctly detect scrollbox support with non-default zoom
Fixes gh-4029
Closes gh-4030
2018-05-07 09:28:18 -04:00
Timmy Willison
625e19cd9b
Tests: ensure that module assertions run on supported browsers
- Also fixes tests for karma, where the URL for the module is different

Ref gh-3871
2018-01-16 15:18:32 -05:00
basil.belokon
5d3a968e03
Manipulation: Add support for scripts with module type
Fixes gh-3871
Close gh-3869
2018-01-16 11:39:16 -05:00
Jason Bedard
3d732cca6b Core: deprecate jQuery.isFunction
Fixes gh-3609
2018-01-15 09:26:19 -08:00
Timo Tijhof
ecd8ddea33
Tests: Add support for running unit tests via grunt with karma
- Update QUnit to 1.23.1
- Remove unused dl#dl from test/index.html
- Remove unused map#imgmap from test/index.html
- Ensure all urls to data use baseURI
- Add the 'grunt karma:main' task
  - customContextFile & customDebugFile
- Add 'npm run jenkins' script

Close gh-3744
Fixes gh-1999
2017-12-18 12:27:38 -05:00
Saptak Sengupta
f00a07590e CSS: Correctly set support properties with non-default zoom
Fixes gh-3808
Closes gh-3872
2017-12-05 23:59:54 -05:00
Richard Gibson
928c580a1a Tests: Reduce the abort timeout for simple focus testing
Ref gh-3732
2017-07-19 11:45:03 -04:00