Commit Graph

6518 Commits

Author SHA1 Message Date
Michał Gołębiowski-Owczarek
fd421097c5
Core: Make jQuery.isXMLDoc accept falsy input
Fixes gh-4782
Closes gh-4814
2020-12-07 21:09:15 +01:00
Michał Gołębiowski-Owczarek
dbcffb396c
Event: Make focus re-triggering not focus the original element back
If during a focus handler another focus event is triggered:

```js
elem1.on( "focus", function() {
	elem2.trigger( "focus" );
} );
```

due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.

This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.

A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.

Fixes gh-4382
Closes gh-4813
Ref gh-4279
2020-12-07 20:28:44 +01:00
Michał Gołębiowski-Owczarek
6984d17476
Build: Test on Node.js 15
Also, run browser tests on Node 14 instead of 12.

Closes gh-4802
2020-11-11 23:02:22 +01:00
Michał Gołębiowski-Owczarek
5c2d08704e
Event: Don't crash if an element is removed on blur
In Chrome, if an element having a `focusout` handler is blurred by
clicking outside of it, it invokes the handler synchronously. If
that handler calls `.remove()` on the element, the data is cleared,
leaving private data undefined. We're reading a property from that
data so we need to guard against this.

Fixes gh-4417
Closes gh-4799
2020-10-19 21:17:51 +02:00
Michał Gołębiowski-Owczarek
a503c691dc
Build: Explicitly exclude the queue module from the slim build
The queue module is not present in the slim build as it depends on deferred
and our Gruntfile specifies excluding deferred should also exclude queue:
https://github.com/jquery/jquery/blob/3.5.1/Gruntfile.js#L66
This commit makes this exclusion explicit so that the queue module never
accidentally gets re-included in the slim build if it stopped importing from
the deferred module directly.

Closes gh-4793
2020-09-28 18:33:33 +02:00
Michał Gołębiowski-Owczarek
e35fb62db4
Core: Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge)
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft
Edge version. Also, restrict some workarounds that were applied
unconditionally in all browsers to run only in IE now. This slightly
increases the size but reduces the performance burden on modern browsers
that don't need the workarounds.

Also, clean up some comments & remove some obsolete workarounds.

Fixes gh-4568
Closes gh-4792
2020-09-22 17:49:28 +02:00
高灰
15ae361485
Manipulation: Respect script crossorigin attribute in DOM manipulation
Fixes gh-4542
Closes gh-4563

Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-09-22 17:30:18 +02:00
Michał Gołębiowski-Owczarek
df6858df2e
Tests: Recognize callbacks with dots in the Node.js mock server
This aligns the Node.js server with the previous PHP one in sending `mock.php`
as a callback if there's no `callback` parameter in the query string which is
triggered by a recently added test. This prevents the request crashing on that
Node.js server and printing a JS error:
```
TypeError: Cannot read property '1' of null
```

Closes gh-4764
Ref gh-4754
2020-09-02 18:42:52 +02:00
Michał Gołębiowski-Owczarek
c18dc49699
Tests: Skip the "jQuery.ajax() on unload" test in Safari
The test has been already skipped in Chrome as it dropped support for such
requests and now Safari has joined the squad.

This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13.

Closes gh-4779
2020-09-02 18:04:44 +02:00
Michał Gołębiowski-Owczarek
8612018d4e
Build: Make the import/no-unused-modules ESLint rule work in WebStorm
When run via WebStorm, the root path against which paths in the config of the
`import/no-unused-modules` ESLint rule are resolved is the path where the ESLint
config file that defines the rule lies, i.e. `src`. When run via the command
line, it's usually the root folder of the jQuery repository. This pattern
intends to catch both.

Note that we cannot specify two patterns here:
```js
[ "src/*.js", "*.js" ]
```
as they're analyzed individually and the rule crashes if a pattern cannot be
matched.

Closes gh-4777
2020-09-02 17:24:55 +02:00
Michał Gołębiowski-Owczarek
a4421101fd
Attributes: Drop the toggleClass(boolean|undefined) signature
The behavior of this signature is not intuitive, especially if classes are
manipulated via other ways between `toggleClass` calls.

Fixes gh-3388
Closes gh-4766
2020-09-01 10:42:03 +02:00
Michał Gołębiowski-Owczarek
68b4ec59c8
Ajax: Make responseJSON work for erroneous same-domain JSONP requests
Don't use a script tag for JSONP requests unless for cross-domain requests
or if scriptAttrs are provided. This makes the `responseJSON` property available
in JSONP error callbacks.

This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made
erroneous script responses to not be executed to follow native behavior.

The 3.x-stable branch doesn't need this fix as it doesn't use script tags for
regular async requests.

Closes gh-4778
Ref gh-4771
Ref gh-4773
Ref gh-4379
2020-09-01 00:02:44 +02:00
Michał Gołębiowski-Owczarek
1a5fff4c16
Event: Remove the event.which shim
All supported browsers implement this property by themselves. The shim was only
needed for IE <9.

Fixes gh-3235
Closes gh-4765
Ref gh-4755
2020-08-26 14:10:33 +02:00
Dallas Fraser
a1e619b03a
Ajax: Execute JSONP error script responses
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special:
under the hood it's a script but it simulates JSON responses in an environment
without a CORS setup and sending JSON payloads on error responses is quite
typical there.

This commit makes JSONP error responses still execute the payload. The regular
script error responses continue to be skipped.

Fixes gh-4771
Closes gh-4773
2020-08-25 21:41:06 +02:00
Michał Gołębiowski-Owczarek
07a8e4a177
Ajax: Avoid CSP errors in the script transport for async requests
Until now, the AJAX script transport only used a script tag to load scripts
for cross-domain requests or ones with `scriptAttrs` set. This commit makes
it also used for all async requests to avoid CSP errors arising from usage
of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors
as it uses the AJAX script transport under the hood.

For sync requests such a change is impossible and that's what `jQuery._evalUrl`
uses. Fixing that is tracked in gh-1895.

The commit also makes other type of requests using the script tag version of the
script transport set its type to "GET", namely async scripts & ones with
`scriptAttrs` set in addition to the existing cross-domain ones.

Fixes gh-3969
Closes gh-4763
2020-08-25 21:28:30 +02:00
Wonhyoung Park
82b87f6f0e
Tests: Remove an unused local variable
Closes gh-4769
2020-08-13 13:24:30 +02:00
Ed Sanders
a22b43bad4 Build: Append .eslintignore paths to grunt eslint paths
This allows us to turn off the `quiet` option which was suppressing warnings.
We can also set `maxWarnings` to 0 now that aren't any.

Closes gh-4689
2020-07-27 21:14:05 +02:00
Michał Gołębiowski-Owczarek
e7b3bc488d
Ajax: Drop the json to jsonp auto-promotion logic
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
2020-07-27 19:15:57 +02:00
Necmettin Karakaya
fa0058af42
Build: Use the US spelling of "favor"
Closes gh-4752
2020-07-22 16:12:54 +02:00
Beatriz Rezener
3a1b338a7a
Build: Fix commitplease husky config
Fixes gh-4735
Closes gh-4737
2020-07-20 19:06:39 +02:00
Michał Gołębiowski-Owczarek
b502866960
Build: Update dependencies
This also resolves a security warning from GitHub about a vulnerable `request`
version - the new `testswarm` package version depends on a fixed `request`.

Closes gh-4732
2020-07-15 16:17:41 +02:00
Timmy Willison
39c5778c64
build: set up periodic code scanning analysis 2020-06-25 17:32:02 -04:00
Michał Gołębiowski-Owczarek
9c98e4e86e
Manipulation: Avoid concatenating strings in buildFragment
Concatenating HTML strings in buildFragment is a possible security risk as it
creates an opportunity of escaping the concatenated wrapper. It also makes it
impossible to support secure HTML wrappers like
[trusted types](https://web.dev/trusted-types/). It's safer to create wrapper
elements using `document.createElement` & `appendChild`.

The previous way was needed in jQuery <4 because IE <10 doesn't accept table
parts set via `innerHTML`, even if the element which contents are set is
a proper table element, e.g.:
```js
tr.innerHTML = "<td></td>";
```
The whole structure needs to be passed in one HTML string. jQuery 4 drops
support for IE <11 so this is no longer an issue; in older version we'd have
to duplicate the code paths.

IE <10 needed to have `<option>` elements wrapped in
`<select multiple="multiple">` but we no longer need that on master which
makes the `document.createElement` way shorter as we don't have to call
`setAttribute`.

All these improvements, apart from making logic more secure, decrease the
gzipped size by 58 bytes.

Closes gh-4724
Ref gh-4409
Ref angular/angular.js#17028

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2020-06-10 16:13:22 +02:00
Michał Gołębiowski-Owczarek
7a6fae6a7e
Docs: Update Frequently Reported Issues in the GitHub issue template
The issue about selectors with '#' being broken is old and no longer
frequently reported so this commit removes it from the list. On the other
hand, we're now getting lots of reports about the security fix in jQuery 3.5.0
that was also a breaking change: gh-4642. This one is now mentioned in the
list.

Closes gh-4728
Ref gh-4642
2020-06-08 20:25:11 +02:00
Michał Gołębiowski-Owczarek
40c3abd0ab
Build:Event: Make sure all source modules' exports are used (#4648)
To achieve that, use `eslint-plugin-import`'s `no-unused-modules` rule.

Also, explicitly import `event/trigger.js` from `jquery.js`; so far it was
only imported from ajax.js, making it mistakenly skipped in the
`custom:slim,-deprecated` build.
2020-06-02 13:45:08 +02:00
Michał Gołębiowski-Owczarek
0b676ae12d
Deprecated: Remove jQuery.trim
The API has been deprecated in 3.5.0 so it can be removed in 4.0.0.

Ref gh-4461
Closes gh-4695
2020-05-18 23:20:38 +02:00
Michał Gołębiowski-Owczarek
bfb6897c55
Release: Remove an unused chalk dependency
Chalk was used for a Sizzle version check that's no longer there on `master`.

Closes gh-4712
2020-05-18 22:45:04 +02:00
Michał Gołębiowski-Owczarek
ef4d6ca6c3
Build: Update eslint-config-jquery, fix linting violations
Closes gh-4696
Ref jquery/eslint-config-jquery#15
Ref jquery/eslint-config-jquery#16
2020-05-18 22:25:49 +02:00
Michał Gołębiowski-Owczarek
d96111e18b
Tests: Remove remaining obsolete jQuery.cache references
PR gh-4586 removed some of those but not all.

Closes gh-4715
Ref gh-4586
2020-05-18 18:43:01 +02:00
Michał Gołębiowski-Owczarek
11611967ad
Docs: Change JS Foundation mentions to OpenJS Foundation
Closes gh-4711
2020-05-18 18:41:32 +02:00
Timmy Willison
2ffe54ca53
Docs: add SECURITY.md, show security email address 2020-05-12 14:33:45 -04:00
Michał Gołębiowski-Owczarek
55cd3a4436
Build: Followups after introducing ES modules compiled via Rollup
This commit cleans up a few comments & configurations that are out of date
after the migration to ES modules backed by a Rollup-based compilation.

Also, de-indent AMD modules. This will preserve a more similar
structure to the one on 3.x-stable where the body of the main `define`
wrapper is not indented.

Closes gh-4705
2020-05-05 14:30:14 +02:00
Michał Gołębiowski-Owczarek
297d18dd13
CSS: Include show, hide & toggle methods in the jQuery slim build
The `show()`, `hide()` & `toggle()` methods were included in the 3.x jQuery
slim build. The jQuery master build accidentally started to exclude them as
they were only imported in the effects module and the new Rollup-based build
system follows the module dependency graph when excluding modules.

To resolve the issue, import the `css/showHide.js` file directly in the main
`jquery.js` file.

Closes gh-4704
Ref jquery/jquery-migrate#346
2020-05-05 14:16:41 +02:00
Wonseop Kim
3d62d57049
Build: Correct code indentations based on jQuery Style Guide
1. Correct code indentations based on jQuery Style Guide
   (contribute.jquery.org/style-guide/js/#spacing).
2. Add rules to "src/.eslintrc.json" to enable "enforcing consistent
   indentation", with minimal changes to the current code.

Closes gh-4672
2020-05-05 10:49:27 +02:00
Michał Gołębiowski-Owczarek
11066a9e6a
Tests: Workaround failures in recent XSS tests in iOS 8 - 12
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.

Ref gh-4685
Closes gh-4694
2020-04-30 21:25:29 +02:00
Pierre Grimaud
1a7332ce83
Docs: Fix typos
Closes gh-4686
2020-04-29 21:18:23 +02:00
Michał Gołębiowski-Owczarek
dc06d68bdc
Tests: Add tests for recently fixed manipulation XSS issues
Closes gh-4685
Ref gh-4642
Ref gh-4647
2020-04-29 16:39:04 +02:00
Michał Gołębiowski-Owczarek
812b4a1a83
Build: Reduce the slim build header comment & jQuery.fn.jquery
So far, the slim build was expanded to its full exclusion list, generating the
following `jQuery.fn.jquery`:
```
v4.0.0-pre -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```

This commit changes it to just `v4.0.0-pre slim`. Only the pure slim build is
treated this way, any modification to it goes through the old expansion; e.g.
for `custom:slim,-deprecated` we get the following `jQuery.fn.jquery`:
```
v4.0.0-pre -deprecated,-deprecated/ajax-event-alias,-deprecated/event,-ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-callbacks,-deferred,-deferred/exceptionHook,-effects,-effects/Tween,-effects/animatedSelector,-queue,-queue/delay,-core/ready
```

Since the version string is also put in the jQuery header comment, it also got
smaller.

Also, the logic to skip including the commit hash in the header comment - when
provided through the COMMIT environment variable which we do in Jenkins - in
minified builds headers has been applied to builds with exclusions as well.

Closes gh-4649
2020-04-27 22:23:59 +02:00
Michał Gołębiowski-Owczarek
9b73204350
Tests: Use only one focusin/out handler per matching window & document
Backport tests from a jQuery 3.x fix that's not needed on `master`.

Also, fix the "focusin from an iframe" test to actually verify the behavior
from commit 1cecf64e5a - the commit that
introduced the regression - to make sure we don't regress on either front.

The main part of the modified test was checking that focusin handling in an
iframe works and that's still checked. The test was also checking that it
doesn't propagate to the parent document, though, and, apparently, in IE it
does. This one test is now blacklisted in IE.

(cherry picked from 9e15d6b469)
(cherry picked from 1a4f10ddc3)

Ref gh-4652
Ref gh-4656
Closes gh-4657
2020-04-27 21:37:06 +02:00
Ed S
34296ec547
Build: Move ESLint max-len disable-directive to dist/.eslintrc.json
This disable-directive only applies to the built version, so put
it in /dist. This avoids a warning about an unused directive in the
source version.

Closes gh-4676
2020-04-27 21:29:13 +02:00
Michał Gołębiowski-Owczarek
7b0864d053
Tests: Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test
The "jQuery.ajax() - JSONP - Same Domain" test is firing a request with
a duplicate "callback" parameter, something like (simplified):
```
mock.php?action=jsonp&callback=jQuery_1&callback=jQuery_2
```

There was a difference in how the PHP & Node.js implementations of the jsonp
action in the mock server handled situations like that. The PHP implementation
was using the latest parameter while the Node.js one was turning it into an
array but the code didn't handle this situation. Because of how JavaScript
stringifies arrays, while the PHP implementation injected the following code:
```js
jQuery_2(payload)
```
the Node.js one was injecting the following one:
```js
jQuery_1,jQuery_2(payload)
```
This is a comma expression in JavaScript; it so turned out that in the majority
of cases both callbacks were identical so it was more like:
```js
jQuery_1,jQuery_1(payload)
```
which evaluates to `jQuery_1(payload)` when `jQuery_1` is defined, making the
test go as expected. In many cases, though, especially on Travis, the callbacks
were different, triggering an `Uncaught ReferenceError` error & requiring
frequent manual re-runs of Travis builds.

This commit fixes the logic in the mock Node.js server, adding special handling
for arrays.

Closes gh-4687
2020-04-27 20:22:39 +02:00
Michał Gołębiowski-Owczarek
a62309e01b
Docs: Update the link to the jsdom repository
Closes gh-4684
2020-04-25 20:47:25 +02:00
Michał Gołębiowski-Owczarek
88eb22e059
Build: Test on Node.js 14, stop testing on Node.js 8 & 13
Closes gh-4678
2020-04-23 13:24:35 +02:00
Ed S
46f9810b73
Build: Enable reportUnusedDisableDirectives in ESLint
This forbids unnecessary `eslint-disable` comments.

Ref gh-4095
Closes gh-4520
2020-04-20 19:01:20 +02:00
Jonathan
73415da25d
Docs: Use https for hyperlinks in README
Closes gh-4673
2020-04-17 11:46:49 +02:00
Christian Wenz
7fb90a6bea
Ajax: Overwrite s.contentType with content-type header value, if any
This fixes the issue of "%20" in POST data being replaced with "+"
even for requests with content-type different from
"application/x-www-form-urlencoded", e.g. for "application/json".

Fixes gh-4119
Closes gh-4650

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
2020-04-06 21:15:55 +02:00
Michał Gołębiowski-Owczarek
90fed4b453
Manipulation: Make jQuery.htmlPrefilter an identity function
Closes gh-4642
2020-03-16 21:49:29 +01:00
Michał Gołębiowski-Owczarek
5b94a4f847
Build: Resolve Travis config warnings
Travis reports warnings in our config:
* root: deprecated key sudo (The key `sudo` has no effect anymore.)
* root: missing os, using the default linux
* root: key matrix is an alias for jobs, using jobs

They are all now resolved.

Closes gh-4636
2020-03-13 17:16:07 +01:00
Michał Gołębiowski-Owczarek
9d76c0b163
Data:Event:Manipulation: Prevent collisions with Object.prototype
Make sure events & data keys matching Object.prototype properties work.
A separate fix for such events on cloned elements was added as well.

Fixes gh-3256
Closes gh-4603
2020-03-02 23:02:42 +01:00
Michał Gołębiowski-Owczarek
358b769a00
Release: Use an in-repository dist README fixture
Use a dist README fixture kept in the jQuery repository instead of modifying
an existing one. This makes the jQuery repository the single source of truth
when it comes to jQuery releases and it makes it easier to make changes to
README without worrying how it will affect older jQuery lines.

The commit also ES6ifies build/release.js & build/release/dist.js

Closes gh-4614
2020-03-02 22:42:38 +01:00