|jQuery 3.5 - Still Relevant!|
|Written by Ian Elliot|
|Wednesday, 15 April 2020|
However, things have moved on and jQuery needs to keep up. The latest version, 3.5 is now ready to use. The biggest change is the security fix to htmlPrefilter. This is mostly used internally to turn strings into correct HTML, i.e. all closing tags present. Unfortunately it used a regex to do the job and this has recently been proved to be exploitable to create an XSS. The solution has been to simply remove the method by replacing it with a function that does nothing. This means that you may have a problem if you were relying on htmlPrefilter to fix your HTML, but only if you didn't insist on closing tags.
For example, if you used:
then htmlPrefilter would have converted this to:
but now you would get:
which isn't what you intended. If you always use closing tags in HTML mode then there is no problem.
If you really need the old behavior and can put up with the XSS risk, you can restore the behavior. However, the jQuery team recommends dompurify to do the job property - this isn't part of jQuery but works perfectly with it.
A big change needed to fit in with the improved CSS selectors is that all positional selectors e.g. :first, :last and so on are being removed in jQuery 4. The reason is that they are not native selectors and the cost of implementing them is high in terms of code and time. Nearly all the positional selectors have alternative methods that do the same job, but by filtering the result of the query. For example, you could write using a positional selector:
and the query would return the first div. Alternatively you could use a method:
which first returns all of the divs and then filters out just the first one. This is all fine, but we were missing methods for the positional selectors :even and :odd, but now in 3.5 we have them:
All you have to do now is remember to convert all positional selectors to filter methods before you upgrade to jQuery 4.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 15 April 2020 )|