Commit Graph

2650 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
5266f23cf4
Selector: Implement the uniqueSort chainable method
Some APIs, like `.prevAll()`, return elements in the reversed order, causing
confusing behavior when used with wrapping methods (see gh-5149 for more info)
 To provide an easy workaround, this commit implements a chainable `uniqueSort`
method on jQuery objects, an equivalent of `jQuery.uniqueSort`.

Fixes gh-5166
Closes gh-5168
2022-11-28 18:10:33 +01:00
Michał Gołębiowski-Owczarek
716130e094
Tests: Indicate Firefox 106+ passes the cssSupportsSelector test
Firefox 106 adjusted to the spec mandating that `CSS.supports("selector(...)")`
uses non-forgiving parsing which makes it pass the relevant support test.

Closes gh-5141
2022-11-25 00:54:56 +01:00
Michał Gołębiowski-Owczarek
4c1171f2ed
Selector: Re-introduce selector-native.js
Re-introduce the `selector-native` similar to the one on the `3.x-stable`
branch. One difference is since the `main` branch inlined Sizzle, some
selector utils can be shared between the main `selector` module and
`selector-native`.

The main `selector` module can be disabled in favor of `selector-native`
via:

    grunt custom:-selector

Other changes:
* Tests: Fix Safari detection - Chrome Headless has a different user
  agent than Safari and a browser check in selector tests didn't take
  that into account.
* Tests: Run selector-native tests in `npm test`
* Selector: Fix querying on document fragments

Ref gh-4395
Closes gh-5085
2022-11-21 23:23:39 +01:00
Michał Gołębiowski-Owczarek
3299236c89
Selector:Manipulation: Fix DOM manip within template contents
The `<template/>` element `contents` property is a document fragment that may
have a `null` `documentElement`. In Safari 16 this happens in more cases due
to recent spec changes - in particular, even if that document fragment is
explicitly adopted into an outer document. We're testing both of those cases
now.

The crash used to happen in `jQuery.contains`. As it turns out, we don't need
to query the supposed container `documentElement` if it has the
`Node.DOCUMENT_NODE` (9) `nodeType`; we can call `.contains()` directly on
the `document`. That avoids the crash.

Fixes gh-5147
Closes gh-5158
2022-11-14 23:17:23 +01:00
Michał Gołębiowski-Owczarek
74978b7e89
Ajax: Support null as success functions in jQuery.get
According to the docs, one can use `null` as a success function in `jQuery.get`
of `jQuery.post` so the following:

```js
await jQuery.get( "https://httpbin.org/json", null, "text" )
```

should get the text result. However, this shortcut hasn't been working so far.

Fixes gh-4989
Closes gh-5139
2022-10-17 18:54:28 +02:00
Michał Gołębiowski-Owczarek
8c7da22cae
Selector: Drop support for legacy pseudos, test custom pseudos
This backports custom pseudos tests from Sizzle; they were missed in original
test backports. Also, the support for legacy custom pseudos has been dropped.

The `jQuery.expr` test cleanup has been wrapped in `try-finally` for cleaner
test isolation in case anything goes wrong.

Closes gh-5137
2022-10-11 11:55:46 +02:00
Michał Gołębiowski-Owczarek
ee6e874075
Manipulation: Extract domManip to a separate file
We've already had `buildFragment` extracted to a separate file long ago.
`domManip` is quite a complex & crucial API and so far it has existed within
the `manipulation.js` module. Extracting it makes the module shorter and easier
to understand.

A few comments / messages in tests have also been updated to not suggest there's
a public `jQuery.domManip` API - it's been private since 3.0.0.

Closes gh-5138
2022-10-10 18:15:34 +02:00
Michał Gołębiowski-Owczarek
e7ffe1f135
Tests: Remove a workaround for a Firefox XML parsing issue
Firefox 96-100 used to report the column number smaller by 2 than it should
in the `parsererror` element generated for invalid XML documents. Since that
version range is unsupported now and it includes no ESR versions, the workaround
can now be dropped.

Closes gh-5109
Ref gh-5018
2022-10-03 22:53:39 +02:00
Michał Gołębiowski-Owczarek
7eb0019640
CSS: Return undefined for whitespace-only CSS variable values (#5120)
The spec requires that CSS variable values are trimmed. In browsers that do
this - mainly, Safari, but also Firefox if the value only has leading
whitespace - we currently return undefined; in other browsers, we return
an empty string as the logic to fall back to undefined happens before
trimming.

This commit adds another explicit callback to `undefined` to have it consistent
across browsers.

Also, more explicit comments about behaviors we need to work around in various
browsers have been added.

Closes gh-5120
Ref gh-5106
2022-10-03 18:10:42 +02:00
Anders Kaseorg
ed306c0261
CSS: Don’t trim whitespace of undefined custom property
Fixes gh-5105
Closes gh-5106

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-09-19 23:08:12 +02:00
Michał Gołębiowski-Owczarek
d153c375e6
Selector: Use jQuery :has if CSS.supports(selector(...)) non-compliant
jQuery has followed the following logic for selector handling for ages:
1. Modify the selector to adhere to scoping rules jQuery mandates.
2. Try `qSA` on the modified selector. If it succeeds, use the results.
3. If `qSA` threw an error, run the jQuery custom traversal instead.

It worked fine so far but now CSS has a concept of forgiving selector lists that
some selectors like `:is()` & `:has()` use. That means providing unrecognized
selectors as parameters to `:is()` & `:has()` no longer throws an error, it will
just return no results. That made browsers with native `:has()` support break
selectors using jQuery extensions inside, e.g. `:has(:contains("Item"))`.

Detecting support for selectors can also be done via:

```js
CSS.supports( "selector(SELECTOR_TO_BE_TESTED)" )
```
which returns a boolean. There was a recent spec change requiring this API to
always use non-forgiving parsing:
https://github.com/w3c/csswg-drafts/issues/7280#issuecomment-1143852187
However, no browsers have implemented this change so far.

To solve this, two changes are being made:
1. In browsers supports the new spec change to `CSS.supports( "selector()" )`,
   use it before trying `qSA`.
2. Otherwise, add `:has` to the buggy selectors list.

Fixes gh-5098
Closes gh-5107
Ref w3c/csswg-drafts#7676
2022-09-19 20:56:02 +02:00
Michał Gołębiowski-Owczarek
8cf39b78e6
Tests: Fix the link to QUnit CSS file
Without this fix, the layout is fine during the test run but all the CSS is gone
when tests finish and the results are shown.

This affects commands like `grunt karma:chrome-debug`.

Closes gh-5090
2022-08-29 17:44:10 +02:00
Michał Gołębiowski-Owczarek
fae5fee8b4
Tests: Exclude tests based on compilation flags, not API presence
Introduces a new test API, `includesModule`. The method returns whether
a particular module like "ajax" or "deprecated" is included in the current
jQuery build; it handles the slim build as well. The util was created so that
we don't treat presence of particular APIs to decide whether to run a test as
then if we accidentally remove an API, the tests would still not fail.

Fixes gh-5069
Closes gh-5046
2022-06-28 12:39:01 +02:00
Michał Gołębiowski-Owczarek
6c2c7362fb
Effects: Remove jQuery.fx.interval
`jQuery.fx.interval` has been deprecated since jQuery 3.0.0 but it has been
still used in jQuery code until this change. This commit removes the definition
and explicitly uses the `13` number in its place.

Closes gh-5017
2022-03-01 14:11:50 +01:00
Michał Gołębiowski-Owczarek
af1cd6f218
Tests: Workaround an XML parsing bug in Firefox
See https://bugzilla.mozilla.org/show_bug.cgi?id=1751796

Closes gh-5018
2022-02-28 18:26:53 +01:00
Michał Gołębiowski-Owczarek
a338b407f2
CSS: Skip falsy values in addClass( array ), compress code
This change makes jQuery skip falsy values in `addClass( array )`
& `removeClass( array )` instead of stopping iteration when the first falsy
value is detected. This makes code like:
```js
elem.addClass( [ "a", "", "b" ] );
```
add both the `a` & `b` classes.

The code was also optimized for size a bit so it doesn't increase the
minified gzipped size.

Fixes gh-4998
Closes gh-5003
2022-01-24 18:56:49 +01:00
Bruno PIERRE
9c6f64c7b5
Core: Don't rely on splice being present on input
Without this fix calling `jQuery.uniqueSort` on an array-like can result in:

TypeError: results.splice is not a function
    at Function.jQuery.uniqueSort (https://code.jquery.com/jquery-git.js:664:12)
    at jQuery.fn.init.find (https://code.jquery.com/jquery-git.js:2394:27)
    at gocusihafe.js:3:4

Closes gh-4986
2022-01-24 18:55:16 +01:00
Michał Gołębiowski-Owczarek
eb9ceb2fac
Docs: Fix incorrect trac-NUMBER references
PR gh-4993 changed a few too many issue references to `trac-NUMBER` ones. This
change fixes them. It also fixes a typo in one Trac issue number in selector
tests.

Ref gh-4993
Closes gh-4995
2022-01-12 23:23:42 +01:00
Timmy Willison
ed066ac702
Docs: remove expired links from old jquery source (#4997)
Ref gh-4981
Ref gh-4991
2022-01-07 17:44:51 +00:00
Michał Gołębiowski-Owczarek
5d5ea01511
Docs: Replace #NUMBER Trac issue references with trac-NUMBER
The GitHub UI treats `#NUMBER` as referring to its own issues which is confusing
when in jQuery source it's usually referring to the old deprecated Trac instance
at https://bugs.jquery.com. This change replaces all such Trac references with
`trac-NUMBER`.

A few of the references came with the Sizzle integration and referred to the
Sizzle GitHub bug tracker. Those have been replaced with full links instead.

A new entry describing issue reference conventions has been added to README.

Closes gh-4993
2022-01-04 16:27:18 +01:00
Michał Gołębiowski-Owczarek
00c060d161
Tests: Skip ETag AJAX tests on TestSwarm
TestSwarm is now proxied via Cloudflare which cuts out headers relevant for
ETag tests, failing them. We're still running those tests in Karma on Chrome
& Firefox (including Firefox ESR).

Closes gh-4974
2021-12-01 12:46:33 +01:00
Michał Gołębiowski-Owczarek
19ced963c6
Tests: Allow statusText to be "success" in AJAX tests
In HTTP/2, status message is not supported and whatever is reported as
statusText differs between browsers. In Chrome & Safari it's "success", in
Firefox & IE it's "OK". So far "success" wasn't allowed. This made the tests
pass locally if you're running an HTTP/1.1 server but on TestSwarm which is
now proxied via an HTTP/2-equipped Cloudflare, the relevant test started failing
in Chrome & Safari.

Allow "success" to resolve the issue.

Closes gh-4973
2021-12-01 12:46:17 +01:00
Michał Gołębiowski-Owczarek
4250b62878
Attributes: Don't stringify attributes in the setter
Stringifying attributes in the setter was needed for IE <=9 but it breaks
trusted types enforcement when setting a script `src` attribute.

Note that this doesn't mean script execution works. Since jQuery disables all
scripts by changing their type and then executes them by creating fresh script
tags with proper `src` & possibly other attributes, this unwraps any trusted
`src` wrappers, making the script not execute under strict CSP settings.
We might try to fix it in the future in a separate change.

Fixes gh-4948
Closes gh-4949
2021-11-01 18:10:23 +01:00
Michał Gołębiowski-Owczarek
de5398a6ad
Core:Manipulation: Add basic TrustedHTML support
This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery
manipulation methods in a way that doesn't violate the
`require-trusted-types-for` Content Security Policy directive.
This commit builds on previous work needed for trusted types support, including
gh-4642 and gh-4724.

One restriction is that while any TrustedHTML wrapper should work as input
for jQuery methods like `.html()` or `.append()`, for passing directly to the
`jQuery` factory the string must start with `<` and end with `>`; no trailing
or leading whitespaces are allowed. This is necessary as we cannot parse out
a part of the input for further construction; that would violate the CSP rule -
and that's what's done to HTML input not matching these constraints.

No trusted types API is used explicitly in source; the majority of the work is
ensuring we don't pass the input converted to string to APIs that would
eventually assign it to `innerHTML`. This extra cautiousness is caused by the
API being Blink-only, at least for now.

The ban on passing strings to `innerHTML` means support tests relying on such
assignments are impossible. We don't currently have such tests on the `main`
branch but we used to have many of them in the 3.x & older lines. If there's
a need to re-add such a test, we'll need an escape hatch to skip them for apps
needing CSP-enforced TrustedHTML.

See https://web.dev/trusted-types/ for more information about TrustedHTML.

Fixes gh-4409
Closes gh-4927
Ref gh-4642
Ref gh-4724
2021-09-30 16:00:24 +02:00
Michał Gołębiowski-Owczarek
1019074f7b
Tests: Don't remove csp.log in the cspClean action of mock.php
For some reason the current setup worked fine with Apache but broke for me when
I migrated to nginx.

Closes gh-4936
2021-09-30 00:08:47 +02:00
Michał Gołębiowski-Owczarek
d225639a8e Tests: Load the TestSwarm listener via HTTPS 2021-09-29 15:28:52 +02:00
fecore1
efadfe991a
CSS: Trim whitespace surrounding CSS Custom Properties values
The spec has recently changed and CSS Custom Properties values are trimmed now.
This change makes jQuery polyfill that new behavior for all browsers.

Ref w3c/csswg-drafts#774
Fixes gh-4926
Closes gh-4930
2021-09-23 13:35:18 +02:00
Michał Gołębiowski-Owczarek
2f8f39e457
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We also used to strip CDATA sections. However, this shouldn't be needed as in
XML documents they're already not visible when inspecting element contents and
in HTML documents they have no meaning. We've preserved that behavior for
backwards compatibility in 3.x but we're removing it for 4.0.

Fixes gh-4904
Closes gh-4906
2021-07-19 19:04:23 +02:00
Timo Tijhof
482f846203
Tests: Switch background image from online file to local 1x1.jpg
Also, remove unused `expected` property in `css` test cases.

Closes gh-4866
2021-05-24 18:23:50 +02:00
Michał Gołębiowski-Owczarek
e539bac79e
Event: Don't break focus triggering after .on(focus).off(focus)
The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:

```js
elem.on( "focus", function() {} ).off( "focus" );
```

make subsequent `.trigger( "focus" )` calls to not do any triggering.

The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).

Fixes gh-4867
Closes gh-4885
2021-05-10 18:59:14 +02:00
Michał Gołębiowski-Owczarek
a70274632d
Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.

Ref gh-4764
Closes gh-4871
2021-04-13 22:13:48 +02:00
Michał Gołębiowski-Owczarek
50e8e84621
Tests: Make more tests run natively in Chrome & Firefox
Chrome & Firefox now support complex `:not()` selectors so those test can run
in them even without custom jQuery selector code. In the past, it was only
possible in Safari, now we only need to exclude IE.

Closes gh-4864
2021-04-13 22:11:45 +02:00
Michał Gołębiowski-Owczarek
345cd22e56
Build: Take core-js-bundle from the external directory as well
That package was missed in gh-4865 as it only broke browsers needing the
polyfill which is just IE at the moment. Thus, it broke Core tests in IE only.

Ref gh-4865
Closes gh-4870
2021-04-13 22:10:09 +02:00
Michał Gołębiowski-Owczarek
a684e6ba83
Build: Restore the external directory
In gh-4466, we removed the `external` directory in favor of loading some files
directly from `node_modules`. This works fine locally but when deploying code
for tests, this makes it impossible to not deploy `node_modules` as well. To
avoid the issue, this change restores usage of the `external` directory.

One change is that we no longer commit this directory to the repository, its
only purpose is to have clear isolation from `node_modules`.

Ref gh-4466
Closess gh-4865
2021-03-24 23:36:25 +01:00
Michał Gołębiowski-Owczarek
8ae477a432
Build: Rename master to main across the repository
The default branch was updated, this updates the remaining occurrences in code
& comments.

Closes gh-4838
2021-02-05 22:00:56 +01:00
Michał Gołębiowski-Owczarek
025da4dd34
Ajax: Don't auto-execute scripts unless dataType provided
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless
`dataType: "script"` was explicitly provided; this change landed in jQuery
3.0.0. This change extends that logic same-domain scripts as well.

After this change, to request a script under a provided URL to be evaluated,
you need to provide `dataType: "script` in `jQuery.ajax` options or to use
`jQuery.getScript`.

Fixes gh-4822
Closes gh-4825
Ref gh-2432
Ref gh-2588
2021-01-26 15:58:29 +01:00
Michał Gołębiowski-Owczarek
d38528b17a
Tests: Fix tests for not auto-executing scripts without dataType
Two issues are fixed in testing for responses with a script Content-Type not
getting auto-executed unless an explicit `dataType: "script"` is provided:
* the test is now using a correct "text/javascript" Content-Type; it was using
  "text/html" until now which doesn't really check if the fix works
* the Node.js based version of the tests didn't account for an empty `header`
  query string parameter

Closes gh-4824
Ref gh-2432
Ref gh-2588
Ref 39cdb8c9aa
2021-01-11 18:20:36 +01:00
Timmy Willison
3bbbc11111
Dimensions: Add offset prop fallback to FF for unreliable TR dimensions
Firefox incorrectly (or perhaps correctly) includes table borders in computed
dimensions, but they are the only one. Workaround this by testing for it and
falling back to offset properties

Fixes gh-4529
Closes gh-4808
2021-01-11 11:56:08 -05:00
Michał Gołębiowski-Owczarek
8969732518
Core: Report browser errors in parseXML
Fixes gh-4784
Closes gh-4816
2020-12-08 11:22:21 +01:00
Michał Gołębiowski-Owczarek
fd421097c5
Core: Make jQuery.isXMLDoc accept falsy input
Fixes gh-4782
Closes gh-4814
2020-12-07 21:09:15 +01:00
Michał Gołębiowski-Owczarek
dbcffb396c
Event: Make focus re-triggering not focus the original element back
If during a focus handler another focus event is triggered:

```js
elem1.on( "focus", function() {
	elem2.trigger( "focus" );
} );
```

due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.

This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.

A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.

Fixes gh-4382
Closes gh-4813
Ref gh-4279
2020-12-07 20:28:44 +01:00
Michał Gołębiowski-Owczarek
5c2d08704e
Event: Don't crash if an element is removed on blur
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.

Fixes gh-4417
Closes gh-4799
2020-10-19 21:17:51 +02:00
Michał Gołębiowski-Owczarek
e35fb62db4
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.

Also, clean up some comments & remove some obsolete workarounds.

Fixes gh-4568
Closes gh-4792
2020-09-22 17:49:28 +02:00
高灰
15ae361485
Manipulation: Respect script crossorigin attribute in DOM manipulation
Fixes gh-4542
Closes gh-4563

Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-09-22 17:30:18 +02:00
Michał Gołębiowski-Owczarek
df6858df2e
Tests: Recognize callbacks with dots in the Node.js mock server
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```

Closes gh-4764
Ref gh-4754
2020-09-02 18:42:52 +02:00
Michał Gołębiowski-Owczarek
c18dc49699
Tests: Skip the "jQuery.ajax() on unload" test in Safari
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.

This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.

Closes gh-4779
2020-09-02 18:04:44 +02:00
Michał Gołębiowski-Owczarek
a4421101fd
Attributes: Drop the toggleClass(boolean|undefined) signature
The behavior of this signature is not intuitive, especially if classes are
manipulated via other ways between `toggleClass` calls.

Fixes gh-3388
Closes gh-4766
2020-09-01 10:42:03 +02:00
Dallas Fraser
a1e619b03a
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.

This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.

Fixes gh-4771
Closes gh-4773
2020-08-25 21:41:06 +02:00
Michał Gołębiowski-Owczarek
07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00
Wonhyoung Park
82b87f6f0e
Tests: Remove an unused local variable
Closes gh-4769
2020-08-13 13:24:30 +02:00
Michał Gołębiowski-Owczarek
e7b3bc488d
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
2020-07-27 19:15:57 +02:00
Necmettin Karakaya
fa0058af42
Build: Use the US spelling of "favor"
Closes gh-4752
2020-07-22 16:12:54 +02:00
Michał Gołębiowski-Owczarek
9c98e4e86e
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.

The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.

IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.

All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.

Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2020-06-10 16:13:22 +02:00
Michał Gołębiowski-Owczarek
0b676ae12d
Deprecated: Remove jQuery.trim
The API has been deprecated in 3.5.0 so it can be removed in 4.0.0.

Ref gh-4461
Closes gh-4695
2020-05-18 23:20:38 +02:00
Michał Gołębiowski-Owczarek
d96111e18b
Tests: Remove remaining obsolete jQuery.cache references
PR gh-4586 removed some of those but not all.

Closes gh-4715
Ref gh-4586
2020-05-18 18:43:01 +02:00
Michał Gołębiowski-Owczarek
297d18dd13
CSS: Include show, hide & toggle methods in the jQuery slim build
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.

To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.

Closes gh-4704
Ref jquery/jquery-migrate#346
2020-05-05 14:16:41 +02:00
Michał Gołębiowski-Owczarek
11066a9e6a
Tests: Workaround failures in recent XSS tests in iOS 8 - 12
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.

Ref gh-4685
Closes gh-4694
2020-04-30 21:25:29 +02:00
Pierre Grimaud
1a7332ce83
Docs: Fix typos
Closes gh-4686
2020-04-29 21:18:23 +02:00
Michał Gołębiowski-Owczarek
dc06d68bdc
Tests: Add tests for recently fixed manipulation XSS issues
Closes gh-4685
Ref gh-4642
Ref gh-4647
2020-04-29 16:39:04 +02:00
Michał Gołębiowski-Owczarek
9b73204350
Tests: Use only one focusin/out handler per matching window & document
Backport tests from a jQuery 3.x fix that's not needed on `master`.

Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5a - the commit that
introduced the regression - to make sure we don't regress on either front.

The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.

(cherry picked from 9e15d6b469)
(cherry picked from 1a4f10ddc3)

Ref gh-4652
Ref gh-4656
Closes gh-4657
2020-04-27 21:37:06 +02:00
Michał Gołębiowski-Owczarek
7b0864d053
Tests: Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```

There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.

This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.

Closes gh-4687
2020-04-27 20:22:39 +02:00
Christian Wenz
7fb90a6bea
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".

Fixes gh-4119
Closes gh-4650

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-04-06 21:15:55 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
9d76c0b163
Data:Event:Manipulation: Prevent collisions with Object.prototype
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.

Fixes gh-3256
Closes gh-4603
2020-03-02 23:02:42 +01:00
Michał Gołębiowski-Owczarek
4a7fc8544e
Build: Enable ESLint one-var rule for var declarations in browser code
Node.js code is written more & more commonly in ES6+ so it doesn't make sense
to enable it there. There are many violations in test code so it's disabled
there as well.

Closes gh-4615
2020-03-02 22:25:35 +01:00
Michał Gołębiowski-Owczarek
364476c3dc
Tests: Pass a number of necessary done() calls to assert.async()
It is no longer needed to create `done` wrappers in tests that require
multiple async operations to complete.

Closes gh-4633
2020-03-02 22:15:06 +01:00
Michał Gołębiowski-Owczarek
4592595b47
Core: Fire iframe script in its context, add doc param in globalEval
1. Support passing custom document to jQuery.globalEval; the script will be
   invoked in the context of this document.
2. Fire external scripts appended to iframe contents in that iframe context;
   this was already supported & tested for inline scripts but not for external
   ones.

Fixes gh-4518
Closes gh-4601
2020-02-10 19:17:22 +01:00
Michał Gołębiowski-Owczarek
18db87172c
Event: remove jQuery.event.global
jQuery.event.global has been write-only in the jQuery source for the past few
years; reading from it was removed in c2d6847de0
when fixing the trac-12989 bug.

Closes gh-4602
2020-02-10 19:13:09 +01:00
Michał Gołębiowski-Owczarek
ff2819911d
Attributes: Refactor val(): don't strip carriage return, isolate IE workarounds
Before this change, `val()` was stripping out carriage return characters from
the returned value. No test has relied on that. The logic was different for
option elements as its custom defined hook was omitting this stripping logic.

This commit gets rid of the carriage return removal and isolates the IE-only
select val getter to be skipped in other browsers.

Closes gh-4585
2020-01-13 19:25:01 +01:00
Michał Gołębiowski-Owczarek
eb35be528f
Tests: Remove obsolete jQuery data tests
The tests relied on `jQuery.cache` so they only ever worked in jQuery 1.x.

Closes gh-4586
2020-01-13 19:23:01 +01:00
Michał Gołębiowski-Owczarek
437f389a24
Build: Make dev mode work in Karma again, serve source files from disk
PR gh-4550 added support for running ES modules & AMD tests via Karma. This
required reading the `esmodules` & `amd` props from both `QUnit.config` &
`QUnit.urlParams`. By picking these two properties manually, the `dev` one
stopped being respected while ones handled directly by QUnit were fine (like
`hidepassed`). Instead of maintaining the full list of options, the code now
iterates over QUnit URL config and handles the fallbacks in a more generic way.

Apart from that, all jQuery source & test files are now read directly from disk
instead of being cached by Karma so that one can run `grunt karma:chrome-debug`
& work on a fix without restarting that Karma run after each change. A similar
effect could have been achieved by setting `autoWatch` to `true` but then the
main Karma page runs tests in an iframe by default when
`grunt karma:chrome-debug` is run instead of relying on the current debug flow.

Closes gh-4574
Ref gh-4550
2020-01-08 00:35:55 +01:00
Michał Gołębiowski-Owczarek
0f780ba7cc
Build:Tests: Fix custom build tests, verify on Travis
This commit fixes unit tests for the following builds:

1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`

It also adds separate Travis jobs for the no-deprecated & slim builds. 

Closes gh-4577
2020-01-07 23:59:08 +01:00
Michał Gołębiowski-Owczarek
1dad1185e0
Docs: Update links to EdgeHTML issues to go through Web Archive
With Microsoft going Chromium with Edge, its old EdgeHTML issues were all
removed. :(

Closes gh-4584
2020-01-07 23:45:41 +01:00
Michał Gołębiowski-Owczarek
c1ee33aded
Selector: Remove the "a:enabled" workaround for Chrome <=77
Remove the workaround for a broken `:enabled` pseudo-class on anchor elements
in Chrome <=77. These versions of Chrome considers anchor elements with the
`href` attribute as matching `:enabled`.

Closes gh-4569
2019-12-16 19:43:38 +01:00
Michał Gołębiowski-Owczarek
341c6d1b5a
Build: Make Karma work in ES modules mode
Also, run such a suite in CI to make sure modules are working as expected
when used directly.

Closes gh-4550
2019-12-16 19:33:49 +01:00
Michał Gołębiowski-Owczarek
f37c2e51f3
Build: Auto-convert sources to AMD
jQuery source has been migrated in gh-4541 from AMD to ES modules. To maintain
support for consumers of our AMD modules, this commits adds a task transpiling
the ES modules sources in `src/` to AMD in `amd/`.

A "Load with AMD" checkbox was also restored to the QUnit setup. Note that,
contrary to jQuery 3.x, AMD files need to be generated via `grunt amd` or
`grunt` as sources are not authored in ECMAScript modules. To achieve a similar
no-compile experience during jQuery 4.x testing, use the new "Load as modules"
checkbox which works in all supported browsers except for IE & Edge (the
legacy, EdgeHTML-based one).

Ref gh-4541
Closes gh-4554
2019-12-09 20:00:44 +01:00
Michał Gołębiowski-Owczarek
d5c505e35d
Event: Only attach events to objects that accept data - for real
There was a check in jQuery.event.add that was supposed to make it a noop
for objects that don't accept data like text or comment nodes. The problem was
the check was incorrect: it assumed `dataPriv.get( elem )` returns a falsy
value for an `elem` that doesn't accept data but that's not the case - we get
an empty object then. The check was changed to use `acceptData` directly.

Fixes gh-4397
Closes gh-4558
2019-12-09 19:50:14 +01:00
Michał Gołębiowski-Owczarek
05184cc448
Selector: Make empty attribute selectors work in IE again
qSA in IE 11/Edge often (but not always) don't find elements with an empty
name attribute selector (`[name=""]`). Detect that & fall back to Sizzle
traversal.

Interestingly, IE 10 & older don't seem to have the issue.

Fixes gh-4435
Closes gh-4510
2019-11-18 22:10:55 +01:00
Michał Gołębiowski-Owczarek
d0ce00cdfa
Core: Migrate from AMD to ES modules 🎉
Migrate all source AMD modules to ECMAScript modules. The final bundle
is compiled by a custom build process that uses Rollup under the hood.

Test files themselves are still loaded via RequireJS as that has to work in
IE 11.

Tests can now be run in "Load as modules" mode which replaces the previous
"Load with AMD" option. That option of running tests doesn't work in IE
and Edge as it requires support for dynamic imports.

Some of the changes required by the migration:
* check `typeof` of `noGlobal` instead of using the variable directly
  as it's not available when modules are used
* change the nonce module to be an object as ECMASscript module exports
  are immutable
* remove some unused exports
* import `./core/parseHTML.js` directly in `jquery.js` so that it's not
  being cut out when the `ajax` module is excluded in a custom compilation

Closes gh-4541
2019-11-18 21:15:03 +01:00
Michał Gołębiowski-Owczarek
a612733be0 Tests: Skip a "width/height on a table row with phantom borders" test in Firefox
Firefox 70 & newer fail this test but the issue there is more profound - Firefox
doesn't subtract borders from table row computed widths.

Closes gh-4537
Ref jquery/jquery#4529
Ref https://bugzilla.mozilla.org/show_bug.cgi?id=1590837
Ref w3c/csswg-drafts#4444

(cherry picked from commit c79e1d5fef)
2019-10-28 20:43:39 +01:00
Michał Gołębiowski-Owczarek
323575fb9b Tests: Don't test synchronous XHR on unload in Chrome
Chrome 78 dropped support for synchronous XHR requests inside of
beforeunload, unload, pagehide, and visibilitychange event handlers.
See https://bugs.chromium.org/p/chromium/issues/detail?id=952452

Closes gh-4536

(cherry picked from commit c5b48c8caa)
2019-10-28 20:43:16 +01:00
Michał Gołębiowski-Owczarek
f09d92100f
Docs: Update most URLs to HTTPS
Closes gh-4511
2019-10-21 19:03:48 +02:00
Michał Gołębiowski-Owczarek
6eee5f7f18
Selector: Add a test for throwing on post-comma invalid selectors
Sizzle's PR jquery/sizzle#456 introduced a test catching not throwing on
badly-escaped identifiers by Firefox 3.6-5. Unfortunately, it was placed just
before a test Opera 10-11 failed, making Opera fail quicker and not adding
a post-comma invalid selector to rbuggyQSA.

The issue was fixed in jquery/sizzle#463. This jQuery commit backports the test
that Sizzle PR added as no workarounds are needed in browsers jQuery supports.

Closes gh-4516
Ref jquery/sizzle#456
Ref jquery/sizzle#463
2019-10-21 19:03:03 +02:00
Michał Gołębiowski-Owczarek
1d624c10b4
Tests: Stop using jQuery.find in tests
This prepares us for possibly hiding jQuery.find in jQuery 4.0.

Closes gh-4517
2019-10-21 19:02:22 +02:00
Michał Gołębiowski-Owczarek
26415e081b
CSS: Workaround buggy getComputedStyle on table rows in IE/Edge
Fixes gh-4490
Closes gh-4506
2019-10-14 18:41:35 +02:00
Sean Robinson
50871a5a85 Ajax: Do not execute scripts for unsuccessful HTTP responses
The script transport used to evaluate fetched script sources which is
undesirable for unsuccessful HTTP responses. This is different to other data
types where such a convention was fine (e.g. in case of JSON).

Fixes gh-4250
Closes gh-4379
2019-09-26 02:43:30 +02:00
Ahmed.S.ElAfifi
9df4f1de12 Core: Use Array.prototype.flat where supported
Calling `Array.prototype.concat.apply( [], inputArray )` to flatten `inputArray`
crashes for large arrays; using `Array.prototype.flat` avoids these issues in
browsers that support it. In case it's necessary to support these large arrays
even in older browsers, a polyfill for `Array.prototype.flat` can be loaded.
This is already being done by many applications.

Fixes gh-4320
Closes gh-4459
2019-09-25 01:38:21 +02:00
Michał Gołębiowski-Owczarek
78420d427c
Core: Implement .even() & .odd() to replace POS :even & :odd
`:even` & `:odd` are deprecated since jQuery 3.4.0 & will be removed in 4.0.0.
The new `even()` & `odd()` methods will make the migration easier.

Closes gh-4485
2019-09-24 02:04:53 +02:00
Michał Gołębiowski-Owczarek
29a9544a4f
Selector: reduce size, simplify setDocument
With new selector code doing less convoluted support tests, it was possible
to extract a lot of logic out of setDocument & also reduce size.

This commit also backports jquery/sizzle#439 that was reverted by mistake
during a switch from JSHint + JSCS to ESLint.

Closes gh-4462
Ref jquery/sizzle#442
Ref jquery/sizzle#439
2019-08-26 19:15:53 +02:00
Michał Gołębiowski-Owczarek
d7e64190ef
Build: Remove the external directory, read from node_modules directly
Now that Sizzle is gone & we use npm, we can read from node_modules directly
and skip the setup that copies some files to the external directory.

Closes gh-4466
2019-08-26 18:53:54 +02:00
Shashanka Nataraj
5ea5946094 Core: Deprecate jQuery.trim
Fixes gh-4363
Closes gh-4461
2019-08-22 02:06:26 +02:00
Richard Gibson
ac5f7cd8e2
Tests: Port changes from Sizzle
Ref https://github.com/jquery/sizzle/pull/450
Closes gh-4464
2019-08-20 14:05:37 -04:00
Michał Gołębiowski-Owczarek
df6a7f7f0f
Selector: Leverage the :scope pseudo-class where possible
The `:scope` pseudo-class[1] has surprisingly good browser support: Chrome,
Firefox & Safari have supported if for a long time; only IE & Edge lack support.
This commit leverages this pseudo-class to get rid of the ID hack in most cases.
Adding a temporary ID may cause layout thrashing which was reported a few times
in [the past.

We can't completely eliminate the ID hack in modern browses as sibling selectors
require us to change context to the parent and then `:scope` stops applying to
what we'd like. But it'd still improve performance in the vast majority of
cases.

[1] https://developer.mozilla.org/en-US/docs/Web/CSS/:scope

Fixes gh-4453
Closes gh-4454
Ref gh-4332
Ref jquery/sizzle#405
2019-08-19 18:41:03 +02:00
Michał Gołębiowski-Owczarek
7bdf307b51
Tests: Fix a comment in testinit.js
A copied comment line was accidentally left out above the line defining
`QUnit.jQuerySelectorsPos`, making the sentence nonsense. This commit removes
that line.

Closes gh-4458
2019-08-19 18:36:21 +02:00
Michał Gołębiowski-Owczarek
47835965bd Selector: Inline Sizzle into the selector module
This commit removes Sizzle from jQuery, inlining its code & removing obsolete
workarounds where applicable.

The selector-native module has been removed. Further work on the selector
module may decrease the size enough that it will no longer be necessary. If
it turns out it's still useful, we'll reinstate it but the code will look
different anyway as we'll want to share as much code as possible with
the existing selector module.

The Sizzle AUTHORS.txt file has been merged with the jQuery one - people are
sorted by their first contributions to either of the two repositories.

The commit reduces the gzipped jQuery size by 1460 bytes compared to master.

Closes gh-4395
2019-07-29 21:19:21 +02:00
Michał Gołębiowski-Owczarek
79b74e043a
Selector: Port Sizzle tests to jQuery
Apart from porting most Sizzle tests to jQuery (mostly to its selector module),
this commit fixes selector-native so that a jQuery custom compilation that
excludes Sizzle passes all tests as well.

Closes gh-4406
2019-06-26 21:39:10 +02:00
Michał Gołębiowski-Owczarek
3527a38405
Core: Remove IE-specific support tests, rely on document.documentMode
Also, update some tests to IE-sniff when deciding whether
to skip a test.

Fixes gh-4386
Closes gh-4387
2019-05-13 21:39:56 +02:00
Pat O'Callaghan
4d865d96aa Traversing: Fix contents() on <object>s with children
Fixes gh-4384
Closes gh-4385
2019-05-06 19:23:00 +02:00
Michał Gołębiowski-Owczarek
cf84696fd1
Core: Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS
Also, update support comments format to match format described in:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-69379197
with the change from:
https://github.com/jquery/contribute.jquery.org/issues/95#issuecomment-448998379
(open-ended ranges end with `+`).

Fixes gh-3950
Fixes gh-4299
Closes gh-4347
2019-04-29 22:56:09 +02:00
Richard Gibson
bde53edcf4 Tests: Restrict an event test fallback to TestSwarm
Closes gh-4357
2019-04-29 22:12:59 +02:00