jQuery 3.5.0 Released!
jQuery 3.5.0 has been released! As usual, the release is available on our cdn and the npm package manager. Other third party CDNs will probably have it soon as well, but remember that we don’t control their release schedules and they will need some time.
We hope you’re staying healthy and safe while so many of us are stuck at home. With a virus ravaging the planet, we realize that jQuery may not be a high priority for you or the sites you manage. When you do have a moment, we recommend that you review this new version and upgrade.
The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its
jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter ensured that a call like
jQuery("<div class='hot' />") is actually converted to
jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.
The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The
jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged.
If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin provides a function to restore the old
jQuery.htmlPrefilter. After including the plugin you can call
jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.
However, to sanitize user input properly, we also recommend using dompurify with the
SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the
SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.
With what we call “positional selectors” being deprecated and slated for removal in jQuery 4.0, we’ve added the last two necessary replacement methods. Specifically, we’ve added the
.odd() methods to replace the
:odd selectors. With these methods in place, we can safely remove these overly complicated selectors in jQuery 4.0.
Another small feature that we’ve added to this release is the ability to add a context to
jQuery.globalEval. This was done as part of fixing a bug with script execution in iframes.
One bug worth highlighting is a bug we fixed in the Ajax script transport. jQuery used to evaluate any response to a request for a script as a script, which is not always the desired behavior. This is different than other data types where such a convention was fine (e.g. in the case of JSON). jQuery 3.5.0 will now only evaluate successful HTTP responses.
Other bug fixes and improvements include performance improvements in Sizzle, support for massive arrays in jQuery.map, using the native
.flat() method where supported, a fix for syntax errors in the AMD modules, several improvements to our testing infrastructure, and more. You’ll find the full changelog below.
We’ve also put AJAX event aliases on the list, they can be replaced by
.on("ajaxStart", …) and the like. jQuery Migrate will warn about these now-deprecated methods, but they’ll stick around until jQuery 4.0.
Aside from the change to no longer ensure XHTML-compliant tags for you, we do not expect other compatibility issues when upgrading from a jQuery 3.0+ version. To upgrade, have a look at the new 3.5 Upgrade Guide. If you haven’t yet upgraded to jQuery 3+, first have a look at the 3.0 Upgrade Guide.
If you can’t yet upgrade to 3.5+, Daniel Ruf has kindly provided patches for previous jQuery versions.
You can get the files from the jQuery CDN, or link to them directly:
You can also get this release from npm:
npm install firstname.lastname@example.org
Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:
These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.
Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Ahmed S. El-Afifi, Michal Golebiowski-Owczarek, Wonseop Kim, Dave Methvin, Shashanka Nataraj, Pat O’Callaghan, Sean Robinson, Christian Oliff, Christian Wenz, and the whole jQuery team.
We also would like to thank Masato Kinugawa for helping us identify and fix the security-related issues in this release.
Full changelog: 3.5.0
- Do not execute scripts for unsuccessful HTTP responses (#4250, #4655, da3dd85b)
- Overwrite s.contentType with content-type header value, if any (#4119, 065143c2)
- Deprecate AJAX event aliases, inline event/alias into deprecated (7a3cf9c0)
- Resolve Travis config warnings (7506c9ca)
- Enable ESLint one-var rule for var declarations in browser code (0fdfdd82)
- Test the no-Sizzle build on Travis (362075ae)
- Update .mailmap & AUTHORS.txt (19f2dcba)
- Tests: Fix custom build tests, verify on Travis; name Travis jobs (d525ae34)
- Lint the minified jQuery file as well (#3075, 37df5cdf)
- Make Karma work in AMD mode (46c284b1)
- Create a `grunt custom:slim` alias for the Slim build (4cbdc745)
- Run tests on Travis only on browsers defined in the config (471b0043)
- Run tests on Firefox ESR as well (0a73b94a)
- Run tests on Node.js 13 in addition to 8, 10 & 12 (64c1fcc1)
- Drop workarounds for Node.js 6 in Gruntfile.js (9f4204ec)
- Run tests on Travis on FirefoxHeadless as well (ad3c2efa)
- Require strict mode in Node.js scripts via ESLint (ac2da4e6)
- Support jquery-release –dry-run flag (c7a5e1bd)
- Stop copying src/core.js to dist on release (#4489, 279d2e97)
- ESLint: forbid unused function parameters (d7e13f12)
- Fix the regex parsing AMD var-modules (#4389) (36b59c96)
- Ajax: Align nonce & global with master, fix an AMD issue (22bf701f)
- Fire iframe script in its context, add doc param in globalEval (#4518, 3dedc3f2)
- Deprecate jQuery.trim (#4363, 56e73e0c)
- Use Array.prototype.flat where supported (#4320, 2f666c1d)
- Implement .even() & .odd() to replace POS :even & :odd (409cbda7)
- Update links to EdgeHTML issues to go through Web Archive (d72faced)
- Convert link to Homebrew from HTTP to HTTPS (ff5a43eb)
- Use only one focusin/out handler per matching window & document (#4652, 9e15d6b4)
- Only attach events to objects that accept data – for real (#4397, f36f6abb)
- Skip the select wrapper for option elements
- Make jQuery.htmlPrefilter an identity function (1d61fd94)
- Send px-ed strings to .css() (57038fae)
- Update Sizzle from 2.3.4 to 2.3.5 (#4424, #4435, #4441, #4453, 04bf577e)
- Make selector-native’s isXMLDoc recognize HTML-embedded SVG (2d9d6d5b)
- Blacklist one focusin test in IE (1a4f10dd)
- Pass a number of necessary done() calls to assert.async() (5ea844f6)
- Make the support tests pass on Firefox 4x/5x/60 (f0d5ec62)
- Skip a “width/height on a table row with phantom borders” test in Firefox (c79e1d5f)
- Don’t test synchronous XHR on unload in Chrome (c5b48c8c)
- Fix offset fractions tests in Chrome for Android (0c67da4b)
- Move Android user agent detection above iOS, put Safari last (6276cb2e)
- Make support tests accept Safari 13 & newer (8167327f)
- update npo.js and include unminified source instead (3654bc83)