jQuery 3.5.1 Released: Fixing a Regression

Posted on by

I’ve never gotten to say this on a jQuery release, but May the 4th be with you! A short time ago in a galaxy exactly like this one, we released jQuery 3.5.0. We have a quick fix for a regression in that release.

Specifically, we had changed our internal data object to use Object.create( null ) instead of a plain object ({}). We did that to prevent collisions with keys on Object.prototype properties. However, this also meant that users (especially plugins) could no longer check what was in jQuery data with the native .hasOwnProperty() method, and it broke some code. We’ve reverted that change, but plan to put it back in jQuery 4.0. This change is the only code change in this release. Other changes include some minor updates to our docs and build system.

Security fixes in 3.5.0

jQuery 3.5.0 included fixes for two security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub. While we provided all of the details on the first issue in the jQuery 3.5.0 blog post, we did not provide all of the details on the second and would like to do that in this post.

The second issue was very similar to the first. It was an XSS vulnerability that had to do with passing <option> elements to jQuery’s DOM manipulation methods. Essentially, we’re using a regex to wrap <option> elements with <select> elements to ensure those elements get parsed correctly in old IE (IE <= 9 replaces any <option> tags with their contents when inserted outside of a <select> element).

Our fix is to only apply this code where it is needed. Fortunately, because of the different parsing behavior in IE9, we can keep the fix in IE9 without exposing it to the same vulnerability as other browsers. Please upgrade when you get a chance to avoid these vulnerabilities.

Upgrading

If you haven’t yet upgraded to jQuery 3.5, have a look at the 3.5 Upgrade Guide. If you haven’t yet upgraded to jQuery 3+, first have a look at the 3.0 Upgrade Guide. Also, the jQuery Migrate plugin will help you to identify compatibility issues in your code.

If you can’t yet upgrade to 3.5+, Daniel Ruf has kindly provided patches for previous jQuery versions. Please try out this new release and let us know about any issues you experienced.

Download

You can get the files from the jQuery CDN, or link to them directly:

https://code.jquery.com/jquery-3.5.1.js

https://code.jquery.com/jquery-3.5.1.min.js

You can also get this release from npm:

npm install jquery@3.5.1

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:

https://code.jquery.com/jquery-3.5.1.slim.js

https://code.jquery.com/jquery-3.5.1.slim.min.js

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Thanks

Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Pierre Grimaud, Michal Golebiowski-Owczarek, Ed S, vanillajonathan, and the whole jQuery team.

Changelog

Full changelog: 3.5.1

Build

  • Test on Node.js 14, stop testing on Node.js 8 & 13 (205dd134)
  • Enable reportUnusedDisableDirectives in ESLint (b21d6710)
  • Updating the 3.x-stable version to 3.5.1-pre. (898784ab)

Data

Docs

Tests

  • Workaround failures in recent XSS tests in iOS 8 – 12 (ea2d0d50)
  • Add tests for recently fixed manipulation XSS issues (58a8e879)
  • Cleanup `window` & `document` handlers in a new event test (c1c0598d)
  • Fix flakiness in the “jQuery.ajax() – JSONP – Same Domain” test (46ba70c5)

jQuery 3.5.0 Released!

Posted on by

jQuery 3.5.0 has been released! As usual, the release is available on our cdn and the npm package manager. Other third party CDNs will probably have it soon as well, but remember that we don’t control their release schedules and they will need some time.

We hope you’re staying healthy and safe while so many of us are stuck at home. With a virus ravaging the planet, we realize that jQuery may not be a high priority for you or the sites you manage. When you do have a moment, we recommend that you review this new version and upgrade.

Security Fix

The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.

The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged.

If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.

However, to sanitize user input properly, we also recommend using dompurify with the SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.

Features

With what we call “positional selectors” being deprecated and slated for removal in jQuery 4.0, we’ve added the last two necessary replacement methods. Specifically, we’ve added the .even() and .odd() methods to replace the :even and :odd selectors. With these methods in place, we can safely remove these overly complicated selectors in jQuery 4.0.

Another small feature that we’ve added to this release is the ability to add a context to jQuery.globalEval. This was done as part of fixing a bug with script execution in iframes.

Fixes

One bug worth highlighting is a bug we fixed in the Ajax script transport. jQuery used to evaluate any response to a request for a script as a script, which is not always the desired behavior. This is different than other data types where such a convention was fine (e.g. in the case of JSON). jQuery 3.5.0 will now only evaluate successful HTTP responses.

Other bug fixes and improvements include performance improvements in Sizzle, support for massive arrays in jQuery.map, using the native .flat() method where supported, a fix for syntax errors in the AMD modules, several improvements to our testing infrastructure, and more. You’ll find the full changelog below.

Deprecations

It wouldn’t be a jQuery release without some deprecations. In jQuery 3.5.0, we’ve put jQuery.trim on the list. JavaScript’s own String.prototype.trim() is an easy replacement for it.

We’ve also put AJAX event aliases on the list, they can be replaced by .on("ajaxStart", …) and the like. jQuery Migrate will warn about these now-deprecated methods, but they’ll stick around until jQuery 4.0.

Upgrading

Aside from the change to no longer ensure XHTML-compliant tags for you, we do not expect other compatibility issues when upgrading from a jQuery 3.0+ version. To upgrade, have a look at the new 3.5 Upgrade Guide. If you haven’t yet upgraded to jQuery 3+, first have a look at the 3.0 Upgrade Guide.

The jQuery Migrate plugin will help you to identify compatibility issues in your code. Please try out this new release and let us know about any issues you experienced.

If you can’t yet upgrade to 3.5+, Daniel Ruf has kindly provided patches for previous jQuery versions.

Download

You can get the files from the jQuery CDN, or link to them directly:

https://code.jquery.com/jquery-3.5.0.js

https://code.jquery.com/jquery-3.5.0.min.js

You can also get this release from npm:

npm install jquery@3.5.0

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:

https://code.jquery.com/jquery-3.5.0.slim.js

https://code.jquery.com/jquery-3.5.0.slim.min.js

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Thanks

Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Ahmed S. El-Afifi, Michał Gołębiowski-Owczarek, Wonseop Kim, Dave Methvin, Shashanka Nataraj, Pat O’Callaghan, Sean Robinson, Christian Oliff, Christian Wenz, and the whole jQuery team.

We also would like to thank Masato Kinugawa for helping us identify and fix the security-related issues in this release.

Changelog

Full changelog: 3.5.0

Ajax

  • Do not execute scripts for unsuccessful HTTP responses (#4250, #4655, da3dd85b)
  • Overwrite s.contentType with content-type header value, if any (#4119, 065143c2)
  • Deprecate AJAX event aliases, inline event/alias into deprecated (7a3cf9c0)

Build

  • Resolve Travis config warnings (7506c9ca)
  • Enable ESLint one-var rule for var declarations in browser code (0fdfdd82)
  • Test the no-Sizzle build on Travis (362075ae)
  • Update .mailmap & AUTHORS.txt (19f2dcba)
  • Tests: Fix custom build tests, verify on Travis; name Travis jobs (d525ae34)
  • Lint the minified jQuery file as well (#3075, 37df5cdf)
  • Make Karma work in AMD mode (46c284b1)
  • Create a `grunt custom:slim` alias for the Slim build (4cbdc745)
  • Run tests on Travis only on browsers defined in the config (471b0043)
  • Run tests on Firefox ESR as well (0a73b94a)
  • Run tests on Node.js 13 in addition to 8, 10 & 12 (64c1fcc1)
  • Drop workarounds for Node.js 6 in Gruntfile.js (9f4204ec)
  • Run tests on Travis on FirefoxHeadless as well (ad3c2efa)
  • Require strict mode in Node.js scripts via ESLint (ac2da4e6)
  • Support jquery-release –dry-run flag (c7a5e1bd)
  • Stop copying src/core.js to dist on release (#4489, 279d2e97)
  • ESLint: forbid unused function parameters (d7e13f12)
  • Fix the regex parsing AMD var-modules (#4389) (36b59c96)

Core

  • Ajax: Align nonce & global with master, fix an AMD issue (22bf701f)
  • Fire iframe script in its context, add doc param in globalEval (#4518, 3dedc3f2)
  • Deprecate jQuery.trim (#4363, 56e73e0c)
  • Use Array.prototype.flat where supported (#4320, 2f666c1d)
  • Implement .even() & .odd() to replace POS :even & :odd (409cbda7)

CSS

  • Workaround buggy getComputedStyle on table rows in IE/Edge (#4490, 6d31477a)

Data

  • Event:Manipulation: Prevent collisions with Object.prototype (#3256, 413ff796)

Docs

  • Update links to EdgeHTML issues to go through Web Archive (d72faced)
  • Convert link to Homebrew from HTTP to HTTPS (ff5a43eb)

Effect

  • Fix a unnecessary conditional statement in .stop() (#4374, 30f5c6c3)

Event

  • Use only one focusin/out handler per matching window & document (#4652, 9e15d6b4)
  • Only attach events to objects that accept data – for real (#4397, f36f6abb)

Manipulation

  • Skip the select wrapper for option elements
  • Make jQuery.htmlPrefilter an identity function (1d61fd94)

Offset

Selector

Tests

  • Blacklist one focusin test in IE (1a4f10dd)
  • Pass a number of necessary done() calls to assert.async() (5ea844f6)
  • Make the support tests pass on Firefox 4x/5x/60 (f0d5ec62)
  • Skip a “width/height on a table row with phantom borders” test in Firefox (c79e1d5f)
  • Don’t test synchronous XHR on unload in Chrome (c5b48c8c)
  • Fix offset fractions tests in Chrome for Android (0c67da4b)
  • Move Android user agent detection above iOS, put Safari last (6276cb2e)
  • Make support tests accept Safari 13 & newer (8167327f)
  • update npo.js and include unminified source instead (3654bc83)

Traversing

  • Fix contents() on object elements with children in IE (90f78b9a)
  • Fix contents() on object elements with children (#4384, 42badf34)

jQuery 3.4.1: triggering focus events in IE and finding root elements in iOS 10

Posted on by

Hello again! jQuery 3.4.0 was released just three weeks ago, but we’ve had a few issues reported that warranted a patch release. Thank you to everyone that reported issues and helped us get these fixed quickly. Here are the changes:

Triggering focus or blur more than once in IE

jQuery 3.4.0 came with some changes to the way the event handler triggered native events such focus and blur. These changes caused a regression that sometimes resulted in an enigmatic error being thrown in the form of "saved.shift is not a function". This is now fixed.

Example

// Error thrown in IE10-11
// after clicking #test-element twice
jQuery("#test-element").click(function() {
  jQuery(this).trigger("blur");
});

Checking element attachment in iOS 10.0-10.2

When releasing 3.4.0, we ran our tests in several versions of iOS, including iOS 10.3 but not 10.0-10.2. Those versions do not support a native function we use to determine whether an element is attached to the DOM. Other versions of iOS were not affected. We added a guard to ensure that this method exists and fall back to other options if necessary.

Loading jQuery with AMD

A small module was added in jQuery 3.4.0 that used the global jQuery rather than the local jQuery loaded with AMD. This resulted in "jQuery is undefined" errors when loading with AMD, but this should now be fixed.

 


Upgrading

There should be no compatibility issues if upgrading from jQuery 3.0+. If you haven’t yet upgraded to jQuery 3+, please have a look at the 3.0 Upgrade Guide. The jQuery Migrate 3.0 plugin will help you to identify compatibility issues in your code.

Please try out this new release and let us know about any issues you experienced.

Download

You can get the files from the jQuery CDN, or link to them directly:

https://code.jquery.com/jquery-3.4.1.js

https://code.jquery.com/jquery-3.4.1.min.js

You can also get this release from npm:

npm install jquery@3.4.1

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:

https://code.jquery.com/jquery-3.4.1.slim.js

https://code.jquery.com/jquery-3.4.1.slim.min.js

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Thanks

Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Richard Gibson, Michal Golebiowski-Owczarek, and the whole jQuery team.

Changelog

GitHub changelog: Issues fixed in 3.4.1 | All changes

Build

  • Fix unresolved jQuery reference in finalPropName (#4358, 0d4af529)

Core

Event

  • Prevent leverageNative from registering duplicate dummy handlers (6c1e7dbf)
  • Fix handling of multiple async focus events (#4350, 24d71ac7)

jQuery Community Updates 10/26

Posted on by

Updates From jQuery Core

I’ve got some good news today about the next version of jQuery: jQuery 1.4.4. On the heels of the 1.4.3 release, which included many fixes (and of course the introduction of jQuery Mobile), we felt it would be of most benefit to the community if we were to make a maintenance release soon after, aimed to further improve the stability of the jQuery core.

For 1.4.4, we’ve identified those bugs that were most critical for us to fix and thanks to John Resig and the bug triage team, we’ve already fixed the majority of these issues. We currently intend on releasing 1.4.4 in early November, assuming no further major bugs are targeted for this release.

Today, we would like to ask the community to assist us in ensuring this new release is as stable as possible through stress-testing it. While we already run a comprehensive suite of automated unit tests on jQuery, adding real-world user testing into our project flow allows us the opportunity to fix critical bugs sooner and will assist in 1.4.4 being a significant improvement over the last release.

If you would like to test 1.4.4, you can download an up-to-the-minute version of it (dubbed jQuery Git) here:

http://code.jquery.com/jquery-git.js

Please bear in mind that this version is not yet ready for production systems and is only made available for evaluation and testing. It is also now available on jsFiddle.net under the entry ‘jQuery 0 Git’.

We appreciate the community’s assistance in helping us make this release as stable as possible and welcome any feedback you may have on it. If you notice a bug in this release and would like to report it, please see the guidelines on bug submission.

Updates From the jQuery UI Team

The developers from the jQuery UI team stayed in Boston for three days after the conference and were able to fix quite a few bugs and do some face-to-face planning on the future of jQuery UI. jQuery UI 1.8.6 is nearing a release date very soon, so keep an eye on the jQuery UI blog for it.

Additionally, the jQuery UI team is working with Colin Snover to migrate jQuery UI’s ticket system over to a new system like jQuery Core just received. We are really excited about having a more stable and collaborative ticket tracking system and would love more contributions from the community helping in ticket triage. If you are interested in contributing, please talk to a jQuery Developer Relations team member.

The Official jQuery Podcast with Ralph Whitbeck and Rey Bango released their 37th episode last week. Their guest this week was Ben Nadel and they discussed jQuery in the ColdFusion community as well as talk about the jQuery Conference that took place in Boston last weekend. This week they’ll be interviewing John Resig about jQuery 1.4.3 and jQuery Mobile. If you have any questions you would like answered please send your question via the contact form.

Don’t forget about our forums. We have a vibrant community asking and answering questions. We would love more people contributing by helping others out in answering questions. It’s a great way to get involved in the project; being able to give your knowledge back to others is very rewarding.