From 84cbd627b55c303e4bbfafed0a93509f51454261 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Go=C5=82e=CC=A8biowski-Owczarek?= Date: Thu, 2 Dec 2021 19:49:45 +0100 Subject: [PATCH 1/2] Docs: Document the warning about the JSON-to-JSONP auto-promotion The warning landed in gh-376 but I forgot to document it. Fixes gh-443 Ref gh-376 --- warnings.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/warnings.md b/warnings.md index 7337a8be..77c38ab5 100644 --- a/warnings.md +++ b/warnings.md @@ -87,7 +87,7 @@ This is _not_ a warning, but a console log message the plugin shows when it firs ### JQMIGRATE: jQuery.data() always sets/gets camelCased names -**Cause:** The page is attempting to set or get a jQuery data item using kebab case, e.g. `my-data`, when a `my-data` item has been set directly on the jQuery data object. jQuery 3.0 always exclusively uses camel case, e.g., `myData`, when it accesses data items via the `.data()` API and does not find kebab case data in that object. +**Cause:** The page is attempting to set or get a jQuery data item using kebab case, e.g. `my-data`, when a `my-data` item has been set directly on the jQuery data object. jQuery 3.0 always exclusively uses camel case, e.g., `myData`, when it accesses data items via the `.data()` API and does not find kebab case data in that object. **Solution:** Either 1) Always use the `.data()` API to set or get data items, 2) Always use camelCase names when also setting properties directly on jQuery's data object, or 3) Always set properties directly on the data object without using the API call to set or get data by name. Never mix direct access to the data object and API calls with kebab case names. @@ -225,7 +225,7 @@ See jQuery-ui [commit](https://github.com/jquery/jquery-ui/commit/c0093b599fcd58 ### JQMIGRATE: jQuery.fn.hover() is deprecated -**Cause:** The `.hover()` method is a shorthand for the use of the `mouseover`/`mouseout` events. It is often a poor user interface choice because it does not allow for any small amounts of delay between when the mouse enters or exits an area and when the event fires. This can make it quite difficult to use with UI widgets such as drop-down menus. For more information on the problems of hovering, see the [hoverIntent plugin](http://cherne.net/brian/resources/jquery.hoverIntent.html). +**Cause:** The `.hover()` method is a shorthand for the use of the `mouseover`/`mouseout` events. It is often a poor user interface choice because it does not allow for any small amounts of delay between when the mouse enters or exits an area and when the event fires. This can make it quite difficult to use with UI widgets such as drop-down menus. For more information on the problems of hovering, see the [hoverIntent plugin](http://cherne.net/brian/resources/jquery.hoverIntent.html). **Solution:** Review uses of `.hover()` to determine if they are appropriate, and consider use of plugins such as `hoverIntent` as an alternative. The direct replacement for `.hover(fn1, fn2)`, is `.on("mouseenter", fn1).on("mouseleave", fn2)`. @@ -264,3 +264,9 @@ See jQuery-ui [commit](https://github.com/jquery/jquery-ui/commit/c0093b599fcd58 **Cause:** jQuery 3.5.0 changed the way it processes HTML strings. Previously, jQuery would attempt to fix self-closed tags like `` that the HTML5 specification says are not self-closed, turning it into ``. This processing can create a [security problem](https://nvd.nist.gov/vuln/detail/CVE-2020-11022) with malicious strings, so the functionality had to be removed. **Solution:** Search for the reported HTML strings and edit the tags to close them explicitly. In some cases the strings passed to jQuery may be created inside the program and thus not searchable. Migrate warning messages include a stack trace that can be used to find the location of the usage in the code. + +### JQMIGRATE: JSON-to-JSONP auto-promotion is deprecated + +**Cause:** `jQuery.ajax` calls with `dataType: 'json'` with a provided callback are automatically converted by jQuery to JSONP requests unless one also specified `jsonp: false`. Auto-promoting JSON requests to JSONP ones introduces a security risk as the developer may be unaware they're not just downloading data but executing code from a remote domain. This auto-promoting behavior is deprecated and will be gone in jQuery 4.0.0. + +**Solution:** To trigger a JSONP request, specify the `dataType: "jsonp"` option. From c4d5a66020ad1b477cb9c147c3e7fae7e8f54f1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= Date: Fri, 31 Dec 2021 00:17:27 +0100 Subject: [PATCH 2/2] Update warnings.md Co-authored-by: Dave Methvin --- warnings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/warnings.md b/warnings.md index 77c38ab5..18f26f0f 100644 --- a/warnings.md +++ b/warnings.md @@ -267,6 +267,6 @@ See jQuery-ui [commit](https://github.com/jquery/jquery-ui/commit/c0093b599fcd58 ### JQMIGRATE: JSON-to-JSONP auto-promotion is deprecated -**Cause:** `jQuery.ajax` calls with `dataType: 'json'` with a provided callback are automatically converted by jQuery to JSONP requests unless one also specified `jsonp: false`. Auto-promoting JSON requests to JSONP ones introduces a security risk as the developer may be unaware they're not just downloading data but executing code from a remote domain. This auto-promoting behavior is deprecated and will be gone in jQuery 4.0.0. +**Cause:** `jQuery.ajax` calls with `dataType: 'json'` with a provided callback are automatically converted by jQuery to JSONP requests unless the options also specify `jsonp: false`. Auto-promoting JSON requests to JSONP introduces a security risk as the developer may be unaware they're not just downloading data but executing code from a remote domain. This auto-promoting behavior is deprecated and will be removed in jQuery 4.0.0. **Solution:** To trigger a JSONP request, specify the `dataType: "jsonp"` option.