[wp-trac] [WordPress Trac] #50564: Update jQuery step two

WordPress Trac noreply at wordpress.org
Tue Nov 10 17:44:39 UTC 2020 

#50564: Update jQuery step two
-------------------------------------------+-------------------------
 Reporter:  azaozz                         |       Owner:  (none)
     Type:  task (blessed)                 |      Status:  new
 Priority:  normal                         |   Milestone:  5.6
Component:  External Libraries             |     Version:
 Severity:  normal                         |  Resolution:
 Keywords:  early has-patch needs-testing  |     Focuses:  javascript
-------------------------------------------+-------------------------

Comment (by TimoTijhof):

 Replying to [comment:2 mgol]:
 > […], we had to do a breaking change in 3.5 to resolve a security issue.
 Details on that change are included in the 3.5 upgrade guide:
 https://jquery.com/upgrade-guide/3.5/.
 >
 > Note that Migrate will not automatically restore previous behavior here
 as we prefer Migrate to not reintroduce security issues by default. If
 this upgrade is too much for you to do at once, you can call:
 > {{{
 > jQuery.UNSAFE_restoreLegacyHtmlPrefilter();
 > }}}
 > to restore the older insecure behavior, as indicated in the upgrade
 guide. […]

 As an anecdote, on Wikipedia and for the MediaWiki software, we enabled
 this to avoid broken plugins and theme widgets.

 In a nut shell:

 {{{
  $('<div> <span/> <p/> <u/> </div>')
 }}}

 This pattern was commonly used in Wikimedia codebases, and while we have
 (mostly) moved away from this in favour of more explicit templates, the
 pattern is still common in extensions and "user script" gadgets in the
 wild.

 The pattern has also re-emerged to a small extent (by accident, and
 tolerated) in recent years due to frameworks like Svelte, Preact, and Vue
 popularizing similar shortcuts.

 However, common as it might be, when parsed natively in a browser, it
 would `<span/>` as identical to `<span>`, thus leaving it open. The
 concept of self-closing elements doesn't exist in HTML. What does exist is
 that `/` is tolerated, and that some elements like `<input>`, `<link>`,
 and `<br>` are considered "void" (meaning, not "openeable"), so anything
 that follows them is naturally a sibling instead of a child.

 Before jQuery 3.5.1, this would produce:

 {{{
 <div>
    <span></span>
    <p></p>
    <u></u>
 </div>
 }}}

 In jQuery 3.5.1+, this starts to produce:

 {{{
 <div>
    <span>
       <p>
          <u></u>
       </p>
    </span>
 </div>
 }}}


 The way we're shipping this is by adding
 `jQuery.UNSAFE_restoreLegacyHtmlPrefilter();` to the jquery+jquerymigrate
 payload.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50564#comment:33>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list