SlideShare a Scribd company logo

jQuery Features to Avoid

D
dmethvin

The document discusses the evolution of jQuery and highlights features developers should avoid to prevent fragile, hard-to-understand, and slow code in large projects. It emphasizes the importance of using native JavaScript or W3C APIs when appropriate, and advances in new jQuery versions aimed at improving performance and user experience, like removing support for older browsers and deprecated features. The document also raises awareness about potential pitfalls in using jQuery, particularly around AJAX operations and creating HTML, urging developers to validate input and stick to best practices.

Technology
1 of 46
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
jQuery Features to Avoid Dave Methvin President, jQuery Foundation jQuery Core Team Lead
jQuery Is Evolving ● There are things in jQuery that ... ○ make code fragile in large projects ○ make code hard to understand ○ make code SLOW ● ... so you should avoid them! But how did this happen?
The World of jQuery 1.0
The World of jQuery 1.0 ● January 2006 browser market share 76% Internet Explorer 5.5 and 6.0 13% Firefox 1.x 11% Others (Netscape, AOL) ● State of web development in 2006 ○ HTML4, EcmaScript 3 (IE5 lacked try-catch) ○ AJAX term just coined in February 2005 ○ Nearly all pages were full-reload design ○ JavaScript was generally non-essential
jQuery Features to Avoid
It's Gotten Complicated ● Single page applications -- LEAKS! ● Massive amounts of JavaScript ● Script breaks? Page doesn't work. ● MORE browsers and screen sizes! ○ IE6-10, Firefox 3.6-15, Chrome 20-22, Safari 3-6, plus mobile browser variants (Android, iPhone/iPod, BlackBerry) which are often old and never updated! Bonus: IE9 on Xbox!
What Most Devs Want From jQuery
Temptation to over Simplify Wouldn't it be cool if jQuery... ● ...automagically figured out what kind of AJAX/JSONP request to make and did the "right thing" with the response? ● It's wonderful when it works ● Hard to debug when it doesn't ● Crazy hard to document
Complex APIs Make You Grumpy
jQuery Adapts ● Version 1.9 will remove some features ○ There is a compat plugin (cough, crutch) ● Version 2.0 removes support for IE 6/7/8 ● We will maintain both 1.9 and 2.0 and the APIs will be compatible Result? ● Smaller size ● Better performance ● Fewer "trip hazards"
Avoid Deprecated Things! ● http://api.jquery.com/category/deprecated/ ● Ineffective, Inefficient, Inadvisable ...
$.browser ● Sniffs around navigator.userAgent string ● Easily fooled and fragile ● Not future-proof -- bug in this version of Chrome or IE is no guarantee of bug in future Chrome or IE! ● Usually you want to feature detect ● Modernizr!
.toggle(fn1, fn2, fn3 ...) ● Cool method, bro ● Not really "core" functionality ● Lots of caveats in the docs ○ http://api.jquery.com/toggle-event/ ○ "Practically reads like a suicide note"
jQuery is not JavaScript!
jQuery is not JavaScript!
jQuery is not JavaScript!
Avoid using jQuery... ● ...when JavaScript or W3C APIs are more appropriate and performant ● Remember: jQuery is a DOM library ● All of JavaScript is yours to command ● jQuery tries to avoid getting in your way
Typical Checkbox Handler $("#sameAsBillTo").on("click", function(){ if ( $(this).is(":checked") ) { $("#shipTo").hide(); } else { $("#shipTo").show(); } } );
Use this, not $(this) Instead of $(this) … Use this! $(this).is(“:checked”) this.checked $(this).prop(“checked”) this.checked $(this).is(“:disabled”) this.disabled $(this).attr(“id”) this.id $(this).attr(“class”) this.className
Use this, not $(this) Instead of $(this) … Use this! $(this).is(“:checked”) this.checked $(this).prop(“checked”) this.checked $(this).is(“:disabled”) this.disabled $(this).attr(“id”) this.id $(this).attr(“class”) this.className Up to 100 times faster!
Better Checkbox Handler $("#sameAsBillTo").on("click", function(){ $("#shipTo").toggle(!this.checked); } );
Use W3C CSS Selectors Selector extension Use this (W3C CSS) :checkbox, :radio, : input[type=X] text, :image, :file, : reset :button button, input[type=button] :header h1, h2, h3, h4, h5 :first :first-child or .first() :last :last-child or .last()
jQuery Features to Avoid
Even More Stuff To Avoid... ● Features we can't remove ● Too frequently and commonly used ● Sometimes cute, but they'll bite you ● Especially bad on large projects
How Every Project Starts
What Every Project Becomes
$(html, props) ● You can say: $("<p />") .attr("class", "active") .click(myClickHandler) .text("Hello world") .appendTo("body"); ● Or, using $(html, props): $("<p />", { "class": "active", click: myClickHandler, text: "Hello world" }).appendTo("body");
$(html, props) Pitfalls 1 ● If the name is a method, it's called with the (single) argument you provide: $("<input />", { type: "checkbox", prop: { checked: true } }).appendTo("body"); ● No method with that name? It will be set as an attribute!
$(html, props) Pitfalls 2 ● Methods can collide with attributes! $("<input />", { type: "text", size: "15" // uh-oh! $.fn.size() attr: { size: 15 } // works }).appendTo("body"); ● This can happen with plugins someone adds to the project at a later time
Action at a Distance
jQuery.ajaxOptions() ● Lets you change behavior of $.ajax() ● GLOBALLY ● Including any third-party plugins ● Most jQuery code expects the "normal" defaults that are documented by the API
What does this do? $.ajax({ url: "file.txt", success: function(data){ alert(data); } });
How I Hosed Your AJAX $.ajaxSetup({ type: "POST", dataType: "json", timeout: 500 // ms! });
Avoiding Ajax Annihilation Make your own $.ajax() wrapper: function jsonRequest(options) { return $.ajax( $.extend({ dataType: "json", ... }, options) ); }
Using $() to create HTML ● jQuery(), aka $(), accepts anything! ○ function (for document ready) ○ DOM element ○ Array of DOM elements ○ A plain JavaScript object ○ HTML element string and props (as we saw) ○ Arbitrary HTML string ○ Selector string and context
Using $() to create HTML ● jQuery(), aka $(), accepts anything! ○ function (for document ready) ○ DOM element ○ Array of DOM elements ○ A plain JavaScript object ○ HTML element string and props (as we saw) ○ Arbitrary HTML string ○ Selector string and context
The "Looks Like HTML" Rule
The "Looks Like HTML" Rule "If a string is passed as the parameter to $(), jQuery examines the string to see if it looks like HTML (i.e., it has <tag...> somewhere within the string). If not, the string is interpreted as a selector expression ..." -- http://api.jquery.com/jQuery/#jQuery2
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie Zawinski
Cross site scripting (XSS) ● $() can run <script>s in HTML ● $() can set HTML inline event handlers ● Many sites use unvalidated input to $() ○ "http://mysite.com/page.html#someid" ○ $(window.location.hash) // #someid ○ Uh oh! ■ http://jsfiddle.net/dmethvin/uKYUP/
Rule Change for jQuery 1.9 ● A string will only "look like HTML" if it starts with a "<" character! ● Leading whitespace allowed? Maybe. ● Helps to prevent inadvertent script interpretation in HTML ● Developers still must validate input!
Selector or HTML in 1.7? 1) "<p>Hello</p>" HTML 2) "Hello<p>there</p> world!" HTML 3) ".tip[title='Hello']" selector 4) ".tip[title='<b>Hello</b>']" HTML 5) "#footer .copyright" selector 6) "#ONE <b>Redskins</b> fan!" HTML
Selector or HTML in 1.9? 1) "<p>Hello</p>" HTML 2) "Hello<p>there</p> world!" selector 3) ".tip[title='Hello']" selector 4) ".tip[title='<b>Hello</b>']" selector 5) "#footer .copyright" selector 6) "#ONE <b>Redskins</b> fan!" selector Note that many of these are NOT valid CSS selectors and will throw an error.
Say what you want! ● In jQuery 1.8: ○ $.parseHTML(html, runScripts) ■ html is a string of arbitrary HTML ■ runScripts is a Boolean that says whether to run inline or external scripts in the HTML; defaults to false. ● Not a panacea for all XSS problems ○ http://jsfiddle.net/dmethvin/VNBDF/ ● Needs documentation...sorry!
jQuery's Not Perfect ● Use the good parts ● Avoid the bad parts ● You'll be happier with jQuery ● Your co-workers will thank you! You can find this presentation at: http://slideshare.net/
Questions? Twitter: @davemethvin Github: dmethvin IRC #jquery-dev: DaveMethvin

More Related Content

What's hot (20)

PPTX
jQuery
Dileep Mishra
 
PDF
jQuery Essentials
Marc Grabanski
 
PPT
jQuery
Mostafa Bayomi
 
PPT
JQuery introduction
NexThoughts Technologies
 
PPTX
jQuery Presentation
Rod Johnson
 
PPTX
jQuery from the very beginning
Anis Ahmad
 
PPTX
SharePoint and jQuery Essentials
Mark Rackley
 
PPTX
Getting the Most Out of jQuery Widgets
velveeta_512
 
PDF
jQuery: Nuts, Bolts and Bling
Doug Neiner
 
ODP
Introduction to jQuery
manugoel2003
 
KEY
The jQuery Library
LearnNowOnline
 
PPTX
jQuery
Vishwa Mohan
 
PDF
jQuery Introduction
Arwid Bancewicz
 
PDF
Learning jQuery in 30 minutes
Simon Willison
 
PDF
Introduction to jQuery
Zeeshan Khan
 
PPTX
Introduction to jQuery
Gunjan Kumar
 
PPTX
FuncUnit
Brian Moschel
 
PDF
D3.js and SVG
Karol Depka Pradzinski
 
PDF
jQuery in 15 minutes
Simon Willison
 
PDF
Prototype & jQuery
Remy Sharp
 
jQuery
Dileep Mishra
 
jQuery Essentials
Marc Grabanski
 
jQuery
Mostafa Bayomi
 
JQuery introduction
NexThoughts Technologies
 
jQuery Presentation
Rod Johnson
 
jQuery from the very beginning
Anis Ahmad
 
SharePoint and jQuery Essentials
Mark Rackley
 
Getting the Most Out of jQuery Widgets
velveeta_512
 
jQuery: Nuts, Bolts and Bling
Doug Neiner
 
Introduction to jQuery
manugoel2003
 
The jQuery Library
LearnNowOnline
 
jQuery
Vishwa Mohan
 
jQuery Introduction
Arwid Bancewicz
 
Learning jQuery in 30 minutes
Simon Willison
 
Introduction to jQuery
Zeeshan Khan
 
Introduction to jQuery
Gunjan Kumar
 
FuncUnit
Brian Moschel
 
D3.js and SVG
Karol Depka Pradzinski
 
jQuery in 15 minutes
Simon Willison
 
Prototype & jQuery
Remy Sharp
 

Similar to jQuery Features to Avoid (20)

PPTX
Jquery Complete Presentation along with Javascript Basics
EPAM Systems
 
PPT
J query lecture 1
Waseem Lodhi
 
PDF
jQuery (BostonPHP)
jeresig
 
PDF
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
Doris Chen
 
ODP
Jquery- One slide completing all JQuery
Knoldus Inc.
 
PPTX
Getting Started with jQuery
Akshay Mathur
 
PDF
jQuery (DrupalCamp Toronto)
jeresig
 
PPT
J query presentation
sawarkar17
 
PPT
J query presentation
akanksha17
 
PPT
J query b_dotnet_ug_meet_12_may_2012
ghnash
 
PPTX
Getting started with jQuery
Gill Cleeren
 
PDF
Learning jQuery @ MIT
jeresig
 
PDF
Intro to jQuery @ Startup Institute
Rafael Gonzaque
 
PPT
Jqueryforbeginnersjqueryconference2009 090914063709 Phpapp02
careersblog
 
PPTX
Getting Started with jQuery
Laila Buncab
 
KEY
Bcblackpool jquery tips
Jack Franklin
 
PPTX
Web technologies-course 11.pptx
Stefan Oprea
 
PPT
State of jQuery - AspDotNetStorefront Conference
dmethvin
 
PPTX
jQuery Conference Austin Sept 2013
dmethvin
 
PPTX
Cartegraph Live HTML, CSS, JavaScript and jQuery Training
Shane Church
 
Jquery Complete Presentation along with Javascript Basics
EPAM Systems
 
J query lecture 1
Waseem Lodhi
 
jQuery (BostonPHP)
jeresig
 
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
Doris Chen
 
Jquery- One slide completing all JQuery
Knoldus Inc.
 
Getting Started with jQuery
Akshay Mathur
 
jQuery (DrupalCamp Toronto)
jeresig
 
J query presentation
sawarkar17
 
J query presentation
akanksha17
 
J query b_dotnet_ug_meet_12_may_2012
ghnash
 
Getting started with jQuery
Gill Cleeren
 
Learning jQuery @ MIT
jeresig
 
Intro to jQuery @ Startup Institute
Rafael Gonzaque
 
Jqueryforbeginnersjqueryconference2009 090914063709 Phpapp02
careersblog
 
Getting Started with jQuery
Laila Buncab
 
Bcblackpool jquery tips
Jack Franklin
 
Web technologies-course 11.pptx
Stefan Oprea
 
State of jQuery - AspDotNetStorefront Conference
dmethvin
 
jQuery Conference Austin Sept 2013
dmethvin
 
Cartegraph Live HTML, CSS, JavaScript and jQuery Training
Shane Church
 
Ad

More from dmethvin (10)

PPTX
HTTP 2.0 - Web Unleashed 2015
dmethvin
 
PPTX
jQuery Foot-Gun Features
dmethvin
 
PPTX
jQuery Conference Chicago - September 2014
dmethvin
 
PDF
PrairieDevCon 2014 - Web Doesn't Mean Slow
dmethvin
 
PDF
jQuery Conference Toronto
dmethvin
 
PDF
jQuery Conference San Diego 2014 - Web Performance
dmethvin
 
PDF
State of jQuery June 2013 - Portland
dmethvin
 
PDF
jQueryTO: State of jQuery March 2013
dmethvin
 
PPTX
jQuery Conference 2012 keynote
dmethvin
 
PPT
jQuery 1.7 Events
dmethvin
 
HTTP 2.0 - Web Unleashed 2015
dmethvin
 
jQuery Foot-Gun Features
dmethvin
 
jQuery Conference Chicago - September 2014
dmethvin
 
PrairieDevCon 2014 - Web Doesn't Mean Slow
dmethvin
 
jQuery Conference Toronto
dmethvin
 
jQuery Conference San Diego 2014 - Web Performance
dmethvin
 
State of jQuery June 2013 - Portland
dmethvin
 
jQueryTO: State of jQuery March 2013
dmethvin
 
jQuery Conference 2012 keynote
dmethvin
 
jQuery 1.7 Events
dmethvin
 
Ad

Recently uploaded (20)

PDF
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
PDF
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
PDF
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
PDF
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
PDF
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
PDF
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PDF
Proactive Server and System Monitoring with FME: Using HTTP and System Caller...
Safe Software
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
Proactive Server and System Monitoring with FME: Using HTTP and System Caller...
Safe Software
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 

jQuery Features to Avoid

  • 1. jQuery Features to Avoid Dave Methvin President, jQuery Foundation jQuery Core Team Lead
  • 2. jQuery Is Evolving ● There are things in jQuery that ... ○ make code fragile in large projects ○ make code hard to understand ○ make code SLOW ● ... so you should avoid them! But how did this happen?
  • 3. The World of jQuery 1.0
  • 4. The World of jQuery 1.0 ● January 2006 browser market share 76% Internet Explorer 5.5 and 6.0 13% Firefox 1.x 11% Others (Netscape, AOL) ● State of web development in 2006 ○ HTML4, EcmaScript 3 (IE5 lacked try-catch) ○ AJAX term just coined in February 2005 ○ Nearly all pages were full-reload design ○ JavaScript was generally non-essential
  • 6. It's Gotten Complicated ● Single page applications -- LEAKS! ● Massive amounts of JavaScript ● Script breaks? Page doesn't work. ● MORE browsers and screen sizes! ○ IE6-10, Firefox 3.6-15, Chrome 20-22, Safari 3-6, plus mobile browser variants (Android, iPhone/iPod, BlackBerry) which are often old and never updated! Bonus: IE9 on Xbox!
  • 7. What Most Devs Want From jQuery
  • 8. Temptation to over Simplify Wouldn't it be cool if jQuery... ● ...automagically figured out what kind of AJAX/JSONP request to make and did the "right thing" with the response? ● It's wonderful when it works ● Hard to debug when it doesn't ● Crazy hard to document
  • 9. Complex APIs Make You Grumpy
  • 10. jQuery Adapts ● Version 1.9 will remove some features ○ There is a compat plugin (cough, crutch) ● Version 2.0 removes support for IE 6/7/8 ● We will maintain both 1.9 and 2.0 and the APIs will be compatible Result? ● Smaller size ● Better performance ● Fewer "trip hazards"
  • 11. Avoid Deprecated Things! ● http://api.jquery.com/category/deprecated/ ● Ineffective, Inefficient, Inadvisable ...
  • 12. $.browser ● Sniffs around navigator.userAgent string ● Easily fooled and fragile ● Not future-proof -- bug in this version of Chrome or IE is no guarantee of bug in future Chrome or IE! ● Usually you want to feature detect ● Modernizr!
  • 13. .toggle(fn1, fn2, fn3 ...) ● Cool method, bro ● Not really "core" functionality ● Lots of caveats in the docs ○ http://api.jquery.com/toggle-event/ ○ "Practically reads like a suicide note"
  • 14. jQuery is not JavaScript!
  • 15. jQuery is not JavaScript!
  • 16. jQuery is not JavaScript!
  • 17. Avoid using jQuery... ● ...when JavaScript or W3C APIs are more appropriate and performant ● Remember: jQuery is a DOM library ● All of JavaScript is yours to command ● jQuery tries to avoid getting in your way
  • 18. Typical Checkbox Handler $("#sameAsBillTo").on("click", function(){ if ( $(this).is(":checked") ) { $("#shipTo").hide(); } else { $("#shipTo").show(); } } );
  • 19. Use this, not $(this) Instead of $(this) … Use this! $(this).is(“:checked”) this.checked $(this).prop(“checked”) this.checked $(this).is(“:disabled”) this.disabled $(this).attr(“id”) this.id $(this).attr(“class”) this.className
  • 20. Use this, not $(this) Instead of $(this) … Use this! $(this).is(“:checked”) this.checked $(this).prop(“checked”) this.checked $(this).is(“:disabled”) this.disabled $(this).attr(“id”) this.id $(this).attr(“class”) this.className Up to 100 times faster!
  • 21. Better Checkbox Handler $("#sameAsBillTo").on("click", function(){ $("#shipTo").toggle(!this.checked); } );
  • 22. Use W3C CSS Selectors Selector extension Use this (W3C CSS) :checkbox, :radio, : input[type=X] text, :image, :file, : reset :button button, input[type=button] :header h1, h2, h3, h4, h5 :first :first-child or .first() :last :last-child or .last()
  • 24. Even More Stuff To Avoid... ● Features we can't remove ● Too frequently and commonly used ● Sometimes cute, but they'll bite you ● Especially bad on large projects
  • 27. $(html, props) ● You can say: $("<p />") .attr("class", "active") .click(myClickHandler) .text("Hello world") .appendTo("body"); ● Or, using $(html, props): $("<p />", { "class": "active", click: myClickHandler, text: "Hello world" }).appendTo("body");
  • 28. $(html, props) Pitfalls 1 ● If the name is a method, it's called with the (single) argument you provide: $("<input />", { type: "checkbox", prop: { checked: true } }).appendTo("body"); ● No method with that name? It will be set as an attribute!
  • 29. $(html, props) Pitfalls 2 ● Methods can collide with attributes! $("<input />", { type: "text", size: "15" // uh-oh! $.fn.size() attr: { size: 15 } // works }).appendTo("body"); ● This can happen with plugins someone adds to the project at a later time
  • 30. Action at a Distance
  • 31. jQuery.ajaxOptions() ● Lets you change behavior of $.ajax() ● GLOBALLY ● Including any third-party plugins ● Most jQuery code expects the "normal" defaults that are documented by the API
  • 32. What does this do? $.ajax({ url: "file.txt", success: function(data){ alert(data); } });
  • 33. How I Hosed Your AJAX $.ajaxSetup({ type: "POST", dataType: "json", timeout: 500 // ms! });
  • 34. Avoiding Ajax Annihilation Make your own $.ajax() wrapper: function jsonRequest(options) { return $.ajax( $.extend({ dataType: "json", ... }, options) ); }
  • 35. Using $() to create HTML ● jQuery(), aka $(), accepts anything! ○ function (for document ready) ○ DOM element ○ Array of DOM elements ○ A plain JavaScript object ○ HTML element string and props (as we saw) ○ Arbitrary HTML string ○ Selector string and context
  • 36. Using $() to create HTML ● jQuery(), aka $(), accepts anything! ○ function (for document ready) ○ DOM element ○ Array of DOM elements ○ A plain JavaScript object ○ HTML element string and props (as we saw) ○ Arbitrary HTML string ○ Selector string and context
  • 37. The "Looks Like HTML" Rule
  • 38. The "Looks Like HTML" Rule "If a string is passed as the parameter to $(), jQuery examines the string to see if it looks like HTML (i.e., it has <tag...> somewhere within the string). If not, the string is interpreted as a selector expression ..." -- http://api.jquery.com/jQuery/#jQuery2
  • 39. Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie Zawinski
  • 40. Cross site scripting (XSS) ● $() can run <script>s in HTML ● $() can set HTML inline event handlers ● Many sites use unvalidated input to $() ○ "http://mysite.com/page.html#someid" ○ $(window.location.hash) // #someid ○ Uh oh! ■ http://jsfiddle.net/dmethvin/uKYUP/
  • 41. Rule Change for jQuery 1.9 ● A string will only "look like HTML" if it starts with a "<" character! ● Leading whitespace allowed? Maybe. ● Helps to prevent inadvertent script interpretation in HTML ● Developers still must validate input!
  • 42. Selector or HTML in 1.7? 1) "<p>Hello</p>" HTML 2) "Hello<p>there</p> world!" HTML 3) ".tip[title='Hello']" selector 4) ".tip[title='<b>Hello</b>']" HTML 5) "#footer .copyright" selector 6) "#ONE <b>Redskins</b> fan!" HTML
  • 43. Selector or HTML in 1.9? 1) "<p>Hello</p>" HTML 2) "Hello<p>there</p> world!" selector 3) ".tip[title='Hello']" selector 4) ".tip[title='<b>Hello</b>']" selector 5) "#footer .copyright" selector 6) "#ONE <b>Redskins</b> fan!" selector Note that many of these are NOT valid CSS selectors and will throw an error.
  • 44. Say what you want! ● In jQuery 1.8: ○ $.parseHTML(html, runScripts) ■ html is a string of arbitrary HTML ■ runScripts is a Boolean that says whether to run inline or external scripts in the HTML; defaults to false. ● Not a panacea for all XSS problems ○ http://jsfiddle.net/dmethvin/VNBDF/ ● Needs documentation...sorry!
  • 45. jQuery's Not Perfect ● Use the good parts ● Avoid the bad parts ● You'll be happier with jQuery ● Your co-workers will thank you! You can find this presentation at: http://slideshare.net/
  • 46. Questions? Twitter: @davemethvin Github: dmethvin IRC #jquery-dev: DaveMethvin