Core: review feedback

Author: dmethvin

src/core.js

@@ -7,16 +7,13 @@ var findProp,
 	rattrHashTest = /\[(\s*[-\w]+\s*)([~|^$*]?=)\s*([-\w#]*?#[-\w#]*)\s*\]/,
 	rattrHashGlob = /\[(\s*[-\w]+\s*)([~|^$*]?=)\s*([-\w#]*?#[-\w#]*)\s*\]/g,
 	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
-	rsingleTag = ( /^<([a-z][^\/\0>:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i ),
 
 	// Support: Android <=4.0 only
 	// Make sure we trim BOM and NBSP
 	rtrim = /^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,
 	makeMarkup = function( html ) {
-		var doc = window.document.implementation.createHTMLDocument( "", "", null );
-		doc.open( "replace" );
-		doc.write( html );
-		doc.close();
+		var doc = window.document.implementation.createHTMLDocument( "" );
+		doc.body.innerHTML = html;
 		return doc.body && doc.body.innerHTML;
 	};
 
@@ -35,14 +32,9 @@ jQuery.fn.init = function( arg1 ) {
 jQuery.fn.init.prototype = jQuery.fn;
 
 jQuery.htmlPrefilter = function( html ) {
-	var changed;
-	if ( typeof html === "string" && html.trim().charAt( 0 ) === "<" ) {
-		if ( !rsingleTag.test( html ) ) {
-			changed = html.replace( rxhtmlTag, "<$1></$2>" );
-			if ( changed !== html && makeMarkup( html ) !== makeMarkup( changed ) ) {
-				migrateWarn( "HTML tags must be properly nested and closed: " + html );
-			}
-		}
+	var changed = html.replace( rxhtmlTag, "<$1></$2>" );
+	if ( changed !== html && makeMarkup( html ) !== makeMarkup( changed ) ) {
+		migrateWarn( "HTML tags must be properly nested and closed: " + html );
 	}
 	return html;
 };

test/core.js

@@ -45,15 +45,15 @@ QUnit.test( "jQuery.migrateDeduplicateWarnings", function( assert ) {
 	jQuery.migrateDeduplicateWarnings = origValue;
 } );
 
-QUnit.test( "jQuery( html, props )", function( assert ) {
+QUnit.test( "jQuery(html, props)", function( assert ) {
 	assert.expect( 3 );
 
 	var $el = jQuery( "<input/>", { name: "name", val: "value", size: 42 } );
 
 	assert.equal( $el.attr( "name" ), "name", "Name attribute" );
 	assert.equal( $el.attr( "size" ),
 		jQuery.isEmptyObject( jQuery.attrFn ) ? undefined : "42", "Size attribute" );
-	assert.equal( $el.val( ), "value", "Call setter method" );
+	assert.equal( $el.val(), "value", "Call setter method" );
 } );
 
 QUnit.test( "jQuery( '#' )", function( assert ) {
@@ -106,16 +106,16 @@ QUnit.test( "Attribute selectors with unquoted hashes", function( assert ) {
 	assert.expect( 31 );
 
 	var markup = jQuery(
-		"<div>" +
-		"<div data-selector='a[href=#main]'></div>" +
-		"<a href='space#junk'>test</a>" +
-		"<link rel='good#stuff' />" +
-		"<p class='space #junk'>" +
-		"<a href='#some-anchor'>anchor2</a>" +
-		"<input value='[strange*=#stuff]' />" +
-		"<a href='#' data-id='#junk'>anchor</a>" +
-		"</p>" +
-		"</div>" ).appendTo( "#qunit-fixture" ),
+			"<div>" +
+				"<div data-selector='a[href=#main]'></div>" +
+				"<a href='space#junk'>test</a>" +
+				"<link rel='good#stuff' />" +
+				"<p class='space #junk'>" +
+					"<a href='#some-anchor'>anchor2</a>" +
+					"<input value='[strange*=#stuff]' />" +
+					"<a href='#' data-id='#junk'>anchor</a>" +
+				"</p>" +
+			"</div>" ).appendTo( "#qunit-fixture" ),
 
 		// No warning, no need to fix
 		okays = [
@@ -128,7 +128,7 @@ QUnit.test( "Attribute selectors with unquoted hashes", function( assert ) {
 		// Fixable, and gives warning
 		fixables = [
 			"a[href=#]",
-			"a[href*=#]:not( [href=#] ):first-child",
+			"a[href*=#]:not([href=#]):first-child",
 			".space a[href=#]",
 			"a[href=#some-anchor]",
 			"link[rel*=#stuff]",
@@ -139,13 +139,13 @@ QUnit.test( "Attribute selectors with unquoted hashes", function( assert ) {
 		// False positives that still work
 		positives = [
 			"div[data-selector='a[href=#main]']:first",
-			"input[value= '[strange*=#stuff]']:eq( 0 )"
+			"input[value= '[strange*=#stuff]']:eq(0)"
 		],
 
 		// Failures due to quotes and jQuery extensions combined
 		failures = [
 			"p[class ^= #junk]:first",
-			"a[href=space#junk]:eq( 1 )"
+			"a[href=space#junk]:eq(1)"
 		];
 
 	expectNoWarning( assert, "Perfectly cromulent selectors are unchanged", function() {
@@ -174,11 +174,11 @@ QUnit.test( "Attribute selectors with unquoted hashes", function( assert ) {
 		failures.forEach( function( failure ) {
 			try {
 				jQuery( failure, markup );
-				assert.ok( false, "Expected jQuery( ) to die!" );
+				assert.ok( false, "Expected jQuery() to die!" );
 			} catch ( err1 ) { }
 			try {
 				markup.find( failure );
-				assert.ok( false, "Expected .find( ) to die!" );
+				assert.ok( false, "Expected .find() to die!" );
 			} catch ( err2 ) { }
 		} );
 	} );
@@ -191,11 +191,11 @@ QUnit.test( "Attribute selectors with unquoted hashes", function( assert ) {
 					jQuery( "a[href=#]" );
 				}
 			} );
-		} catch ( e ) { }
+		} catch ( e ) {}
 	} );
 } );
 
-QUnit.test( "XSS injection ( leading hash )", function( assert ) {
+QUnit.test( "XSS injection (leading hash)", function( assert ) {
 	assert.expect( 1 );
 
 	var threw = false;
@@ -206,10 +206,10 @@ QUnit.test( "XSS injection ( leading hash )", function( assert ) {
 		threw = true;
 	}
 
-	assert.equal( threw, true, "Throw on leading-hash HTML ( treated as selector )" );
+	assert.equal( threw, true, "Throw on leading-hash HTML (treated as selector)" );
 } );
 
-QUnit.test( "XSS injection ( XSS via script tag )", function( assert ) {
+QUnit.test( "XSS injection (XSS via script tag)", function( assert ) {
 	assert.expect( 2 );
 
 	var threw = false;
@@ -233,11 +233,11 @@ QUnit.test( "XSS injection ( XSS with hash and leading space )", function( asser
 	} catch ( e ) {
 		threw = true;
 	}
-	assert.equal( threw, true, "Throw on leading-hash HTML and space ( treated as selector )" );
+	assert.equal( threw, true, "Throw on leading-hash HTML and space (treated as selector)" );
 	assert.equal( window.XSS, false, "XSS" );
 } );
 
-QUnit.test( "XSS injection ( XSS via onerror inline handler )", function( assert ) {
+QUnit.test( "XSS injection (XSS via onerror inline handler)", function( assert ) {
 	assert.expect( 2 );
 
 	var start,
@@ -249,27 +249,27 @@ QUnit.test( "XSS injection ( XSS via onerror inline handler )", function( assert
 	} catch ( e ) {
 		threw = true;
 	}
-	assert.equal( threw, true, "Throw on leading-hash HTML ( treated as selector )" );
+	assert.equal( threw, true, "Throw on leading-hash HTML (treated as selector)" );
 
-	start = assert.async( );
+	start = assert.async();
 	setTimeout( function() {
 		assert.equal( window.XSS, false, "XSS" );
-		start( );
+		start();
 	}, 1000 );
 } );
 
-QUnit.test( "jQuery( '<element>' ) usable on detached elements ( #128 )", function( assert ) {
+QUnit.test( "jQuery('<element>') usable on detached elements (#128)", function( assert ) {
 	assert.expect( 1 );
 
-	jQuery( "<a>" ).outerWidth( );
+	jQuery( "<a>" ).outerWidth();
 	assert.ok( true, "No crash when operating on detached elements with window" );
 } );
 
 QUnit.test( ".size", function( assert ) {
 	assert.expect( 1 );
 
 	expectWarning( assert, "size", function() {
-		jQuery( "<div />" ).size( );
+		jQuery( "<div />" ).size();
 	} );
 } );
 
@@ -309,24 +309,24 @@ QUnit.test( "isNumeric", function( assert ) {
 	assert.ok( t( 8e5 ), "Exponential notation" );
 	assert.ok( t( "123e-2" ), "Exponential notation string" );
 	assert.ok( t( "040" ), "Legacy octal integer literal string" );
-	assert.ok( t( "0xFF" ), "Hexadecimal integer literal string ( 0x... )" );
-	assert.ok( t( "0Xba" ), "Hexadecimal integer literal string ( 0X... )" );
+	assert.ok( t( "0xFF" ), "Hexadecimal integer literal string (0x...)" );
+	assert.ok( t( "0Xba" ), "Hexadecimal integer literal string (0X...)" );
 	assert.ok( t( 0xFFF ), "Hexadecimal integer literal" );
 
 	if ( +"0b1" === 1 ) {
-		assert.ok( t( "0b111110" ), "Binary integer literal string ( 0b... )" );
-		assert.ok( t( "0B111110" ), "Binary integer literal string ( 0B... )" );
+		assert.ok( t( "0b111110" ), "Binary integer literal string (0b...)" );
+		assert.ok( t( "0B111110" ), "Binary integer literal string (0B...)" );
 	} else {
-		assert.ok( true, "Browser does not support binary integer literal ( 0b... )" );
-		assert.ok( true, "Browser does not support binary integer literal ( 0B... )" );
+		assert.ok( true, "Browser does not support binary integer literal (0b...)" );
+		assert.ok( true, "Browser does not support binary integer literal (0B...)" );
 	}
 
 	if ( +"0o1" === 1 ) {
-		assert.ok( t( "0o76" ), "Octal integer literal string ( 0o... )" );
-		assert.ok( t( "0O76" ), "Octal integer literal string ( 0O... )" );
+		assert.ok( t( "0o76" ), "Octal integer literal string (0o...)" );
+		assert.ok( t( "0O76" ), "Octal integer literal string (0O...)" );
 	} else {
-		assert.ok( true, "Browser does not support octal integer literal ( 0o... )" );
-		assert.ok( true, "Browser does not support octal integer literal ( 0O... )" );
+		assert.ok( true, "Browser does not support octal integer literal (0o...)" );
+		assert.ok( true, "Browser does not support octal integer literal (0O...)" );
 	}
 
 	assert.equal( t( new ToString( "42" ) ), false, "Only limited to strings and numbers" );
@@ -353,18 +353,18 @@ QUnit.test( "isNumeric", function( assert ) {
 	assert.equal( t( new Date( ) ), false, "Instance of a Date" );
 } );
 
-QUnit[ typeof Symbol === "function" ? "test" : "skip" ]( "isNumeric( Symbol )", function( assert ) {
+QUnit[ typeof Symbol === "function" ? "test" : "skip" ]( "isNumeric(Symbol)", function( assert ) {
 	assert.expect( 2 );
 
-	assert.equal( jQuery.isNumeric( Symbol( ) ), false, "Symbol" );
-	assert.equal( jQuery.isNumeric( Object( Symbol( ) ) ), false, "Symbol inside an object" );
+	assert.equal( jQuery.isNumeric( Symbol() ), false, "Symbol" );
+	assert.equal( jQuery.isNumeric( Object( Symbol() ) ), false, "Symbol inside an object" );
 } );
 
-QUnit[ jQueryVersionSince( "3.3.0" ) ? "test" : "skip" ]( ".isNumeric ( warn )",
+QUnit[ jQueryVersionSince( "3.3.0" ) ? "test" : "skip" ]( ".isNumeric (warn)",
   function( assert ) {
 	assert.expect( 3 );
 
-	expectWarning( assert, "warning on isNumeric ( and possibly type )", function() {
+	expectWarning( assert, "warning on isNumeric (and possibly type)", function() {
 		assert.equal( jQuery.isNumeric( 42 ), true, "isNumeric number" );
 		assert.equal( jQuery.isNumeric( "nope" ), false, "isNumeric non number" );
 	} );
@@ -412,7 +412,7 @@ QUnit.test( "jQuery.expr.pseudos aliases", function( assert ) {
 
 		assert.ok( jQuery.expr.pseudos.mazda, "filters assigned" );
 		assert.ok( jQuery.expr.pseudos.marginal, "[':'] assigned" );
-		fixture.find( "p" ).first( ).css( "marginLeftWidth", "40px" );
+		fixture.find( "p" ).first().css( "marginLeftWidth", "40px" );
 		assert.equal( fixture.find( "p:marginal" ).length, 1, "One marginal element" );
 		assert.equal( fixture.find( "div:mazda" ).length, 0, "No mazda elements" );
 		delete jQuery.expr.pseudos.mazda;
@@ -421,7 +421,7 @@ QUnit.test( "jQuery.expr.pseudos aliases", function( assert ) {
 
 } );
 
-QUnit.test( "jQuery.holdReady ( warn only )", function( assert ) {
+QUnit.test( "jQuery.holdReady (warn only)", function( assert ) {
 	assert.expect( 1 );
 
 	expectWarning( assert, "jQuery.holdReady", 2, function() {
@@ -441,7 +441,7 @@ QUnit[ jQueryVersionSince( "3.1.1" ) ? "test" : "skip" ]( "jQuery.trim", functio
 		assert.equal( jQuery.trim( "  hello   " ), "hello", "space on both sides" );
 		assert.equal( jQuery.trim( "  " + nbsp + "hello  " + nbsp + " " ), "hello", "&nbsp;" );
 
-		assert.equal( jQuery.trim( ), "", "Nothing in." );
+		assert.equal( jQuery.trim(), "", "Nothing in." );
 		assert.equal( jQuery.trim( undefined ), "", "Undefined" );
 		assert.equal( jQuery.trim( null ), "", "Null" );
 		assert.equal( jQuery.trim( 5 ), "5", "Number" );
@@ -494,10 +494,10 @@ QUnit[ jQueryVersionSince( "3.3.0" ) ? "test" : "skip" ]( "jQuery.type ( warn )"
 	assert.equal( jQuery.type( /foo/ ), "regexp", "RegExp" );
 	assert.equal( jQuery.type( new RegExp( "asdf" ) ), "regexp", "RegExp" );
 	assert.equal( jQuery.type( [ 1 ] ), "array", "Array" );
-	assert.equal( jQuery.type( new Date( ) ), "date", "Date" );
+	assert.equal( jQuery.type( new Date() ), "date", "Date" );
 	assert.equal( jQuery.type( new Function( "return;" ) ), "function", "Function" );
 	assert.equal( jQuery.type( function() {} ), "function", "Function" );
-	assert.equal( jQuery.type( new Error( ) ), "error", "Error" );
+	assert.equal( jQuery.type( new Error() ), "error", "Error" );
 	assert.equal( jQuery.type( window ), "object", "Window" );
 	assert.equal( jQuery.type( document ), "object", "Document" );
 	assert.equal( jQuery.type( document.body ), "object", "Element" );
@@ -512,7 +512,7 @@ QUnit[ jQueryVersionSince( "3.3.0" ) ? "test" : "skip" ]( "jQuery.type ( warn )"
 	assert.equal( jQuery.type( new MyBoolean( true ) ), "boolean", "Boolean" );
 	assert.equal( jQuery.type( new MyNumber( 1 ) ), "number", "Number" );
 	assert.equal( jQuery.type( new MyString( "a" ) ), "string", "String" );
-	assert.equal( jQuery.type( new MyObject( ) ), "object", "Object" );
+	assert.equal( jQuery.type( new MyObject() ), "object", "Object" );
 
 } );
 
@@ -522,7 +522,7 @@ QUnit[ jQueryVersionSince( "3.3.0" ) ? "test" : "skip" ]( "jQuery.isArray", func
 	expectWarning( assert, "isArray", 3, function() {
 		assert.equal( jQuery.isArray( [] ), true, "empty array" );
 		assert.equal( jQuery.isArray( "" ), false, "empty string" );
-		assert.equal( jQuery.isArray( jQuery( ).toArray( ) ), true, "toArray" );
+		assert.equal( jQuery.isArray( jQuery( ).toArray() ), true, "toArray" );
 	} );
 
 } );

warnings.md

@@ -259,3 +259,10 @@ See jQuery-ui [commit](https://github.com/jquery/jquery-ui/commit/c0093b599fcd58
 **Cause:** In past versions, when a number-typed value was passed to `.css()` jQuery converted it to a string and added `"px"` to the end. As the CSS standard has evolved, an increasingly large set of CSS properties now accept values that are unitless numbers, where this behavior is incorrect. It has become impractical to manage these exceptions in the `jQuery.cssNumber` object. In addition, some CSS properties like `line-height` can accept both a bare number `2` or a pixel value `2px`. jQuery cannot know the correct way to interpret `$.css("line-height", 2)` and currently treats it as `"2px"`.
 
 **Solution:** Always pass string values to `.css()`, and explicitly add units where required. For example, use `$.css("line-height", "2")` to specify 200% of the current line height or `$.css("line-height", "2px")` to specify pixels. When the numeric value is in a variable, ensure the value is converted to string, e.g. `$.css("line-height", String(height))` and `$.css("line-height", height+"px")`.
+
+#### JQMIGRATE: HTML tags must be properly nested and closed: _(HTML string)_
+
+**Cause:** jQuery 3.5.0 changed the way it processes HTML strings. Previously, jQuery would attempt to fix self-closed tags like `<i class="test" />` that the HTML5 specification says are not self-closed, turning it into `<i class="test"></i>`. This processing can create a [security problem](https://nvd.nist.gov/vuln/detail/CVE-2020-11022) with malicious strings, so the functionality had to be removed.
+
+**Solution:** Search for the reported HTML strings and edit the tags to close them explicitly. In some cases the strings passed to jQuery may be created inside the program and thus not searchable. Migrate warning messages include a stack trace that can be used to find the location of the usage in the code. 
+