update #1
Open
update #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add back camelCase to the public object (deprecate not remove) Ref #3384
- selectors beginning with a child combinator are not valid natively. This fixes the tests when using selector-native.js
+30 bytes instead of +182 Thanks to @faisaliyk for the first pass on this feature. Fixes gh-3532 Close gh-3917
- This should fix the broken travis build on Node 8 - See travis-ci/travis-ci#8836
- Also fixes tests for karma, where the URL for the module is different Ref gh-3871
Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. All these improvements, apart from making logic more secure, decrease the gzipped size by 58 bytes. Closes gh-4724 Ref gh-4409 Ref angular/angular.js#17028 Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
This also resolves a security warning from GitHub about a vulnerable `request` version - the new `testswarm` package version depends on a fixed `request`. Closes gh-4732
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was automatically converted to a jsonp request unless one also specified `jsonp: false`. Today the preferred way of interacting with a cross-domain backend is CORS which works in all browsers jQuery 4 will support. Auto-promoting JSON requests to JSONP ones introduces a security issue as the developer may be unaware they're not just downloading data but executing code from a remote domain. This commit disables the auto-promoting logic. BREAKING CHANGE: to trigger a JSONP request, it's now required to specify `dataType: "jsonp"`; previously some requests with `dataType: "json"` were auto-promoted to JSONP. Fixes gh-1799 Fixes gh-3376 Closes gh-4754
This allows us to turn off the `quiet` option which was suppressing warnings. We can also set `maxWarnings` to 0 now that aren't any. Closes gh-4689
Until now, the AJAX script transport only used a script tag to load scripts for cross-domain requests or ones with `scriptAttrs` set. This commit makes it also used for all async requests to avoid CSP errors arising from usage of inline scripts. This also makes `jQuery.getScript` not trigger CSP errors as it uses the AJAX script transport under the hood. For sync requests such a change is impossible and that's what `jQuery._evalUrl` uses. Fixing that is tracked in gh-1895. The commit also makes other type of requests using the script tag version of the script transport set its type to "GET", namely async scripts & ones with `scriptAttrs` set in addition to the existing cross-domain ones. Fixes gh-3969 Closes gh-4763
Issue gh-4379 was meant to be a bug fix but the JSONP case is a bit special: under the hood it's a script but it simulates JSON responses in an environment without a CORS setup and sending JSON payloads on error responses is quite typical there. This commit makes JSONP error responses still execute the payload. The regular script error responses continue to be skipped. Fixes gh-4771 Closes gh-4773
Don't use a script tag for JSONP requests unless for cross-domain requests or if scriptAttrs are provided. This makes the `responseJSON` property available in JSONP error callbacks. This fixes a regression from jQuery 3.5.0 introduced in gh-4379 which made erroneous script responses to not be executed to follow native behavior. The 3.x-stable branch doesn't need this fix as it doesn't use script tags for regular async requests. Closes gh-4778 Ref gh-4771 Ref gh-4773 Ref gh-4379
When run via WebStorm, the root path against which paths in the config of the `import/no-unused-modules` ESLint rule are resolved is the path where the ESLint config file that defines the rule lies, i.e. `src`. When run via the command line, it's usually the root folder of the jQuery repository. This pattern intends to catch both. Note that we cannot specify two patterns here: ```js [ "src/*.js", "*.js" ] ``` as they're analyzed individually and the rule crashes if a pattern cannot be matched. Closes gh-4777
The test has been already skipped in Chrome as it dropped support for such requests and now Safari has joined the squad. This will resolve AJAX test errors we've had for a while in Safari 13 & iOS 13. Closes gh-4779
This aligns the Node.js server with the previous PHP one in sending `mock.php` as a callback if there's no `callback` parameter in the query string which is triggered by a recently added test. This prevents the request crashing on that Node.js server and printing a JS error: ``` TypeError: Cannot read property '1' of null ``` Closes gh-4764 Ref gh-4754
Drop support for Edge Legacy: the non-Chromium, EdgeHTML-based Microsoft Edge version. Also, restrict some workarounds that were applied unconditionally in all browsers to run only in IE now. This slightly increases the size but reduces the performance burden on modern browsers that don't need the workarounds. Also, clean up some comments & remove some obsolete workarounds. Fixes gh-4568 Closes gh-4792
The queue module is not present in the slim build as it depends on deferred and our Gruntfile specifies excluding deferred should also exclude queue: https://github.com/jquery/jquery/blob/3.5.1/Gruntfile.js#L66 This commit makes this exclusion explicit so that the queue module never accidentally gets re-included in the slim build if it stopped importing from the deferred module directly. Closes gh-4793
In Chrome, if an element having a `focusout` handler is blurred by clicking outside of it, it invokes the handler synchronously. If that handler calls `.remove()` on the element, the data is cleared, leaving private data undefined. We're reading a property from that data so we need to guard against this. Fixes gh-4417 Closes gh-4799
Also, run browser tests on Node 14 instead of 12. Closes gh-4802
If during a focus handler another focus event is triggered:
```js
elem1.on( "focus", function() {
elem2.trigger( "focus" );
} );
```
due to their synchronous nature everywhere outside of IE the hack added in
gh-4279 to leverage native events causes the native `.focus()` method to be
called last for the initial element, making it steal the focus back. Since
the native method is already being called in `leverageNative`, we can skip that
final call.
This aligns with changes to the `_default` method for the `click` event that
were added when `leverageNative` was introduced there.
A side effect of this change is that now `focusin` will only propagate to the
document for the last focused element. This is a change in behavior but it also
aligns us better with how this works with native methods.
Fixes gh-4382
Closes gh-4813
Ref gh-4279
Two issues are fixed in testing for responses with a script Content-Type not getting auto-executed unless an explicit `dataType: "script"` is provided: * the test is now using a correct "text/javascript" Content-Type; it was using "text/html" until now which doesn't really check if the fix works * the Node.js based version of the tests didn't account for an empty `header` query string parameter Closes gh-4824 Ref gh-2432 Ref gh-2588 Ref 39cdb8c
PR gh-2588 made jQuery stop auto-execute cross-domain scripts unless `dataType: "script"` was explicitly provided; this change landed in jQuery 3.0.0. This change extends that logic same-domain scripts as well. After this change, to request a script under a provided URL to be evaluated, you need to provide `dataType: "script` in `jQuery.ajax` options or to use `jQuery.getScript`. Fixes gh-4822 Closes gh-4825 Ref gh-2432 Ref gh-2588
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.