jQuery 3.5.0 (2020-04-10) ¶

Description ¶

jQuery 3.5.0 has been released! As usual, the release is available on our cdn and the npm package manager.

Other third party CDNs will probably have it soon as well, but remember that we don’t control their release schedules and they will need some time.

We hope you’re staying healthy and safe while so many of us are stuck at home. With a virus ravaging the planet, we realize that jQuery may not be a high priority for you or the sites you manage.

When you do have a moment, we recommend that you review this new version and upgrade.

Security Fix ¶

The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt.

Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods.

For example, this prefilter ensured that a call like jQuery(“<div class=’hot’ />”) is actually converted to jQuery(“<div class=’hot’></div>”).

Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.

The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences.

The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break.

The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged.

Features ¶

With what we call “positional selectors” being deprecated and slated for removal in jQuery 4.0, we’ve added the last two necessary replacement methods.

Specifically, we’ve added the .even() and .odd() methods to replace the :even and :odd selectors. With these methods in place, we can safely remove these overly complicated selectors in jQuery 4.0.

Another small feature that we’ve added to this release is the ability to add a context to jQuery.globalEval.

This was done as part of fixing a bug with script execution in iframes.

Fixes ¶

One bug worth highlighting is a bug we fixed in the Ajax script transport .

jQuery used to evaluate any response to a request for a script as a script, which is not always the desired behavior.

This is different than other data types where such a convention was fine (e.g. in the case of JSON). jQuery 3.5.0 will now only evaluate successful HTTP responses.

Other bug fixes and improvements include performance improvements in Sizzle, support for massive arrays in jQuery.map, using the native .flat() method where supported, a fix for syntax errors in the AMD modules, several improvements to our testing infrastructure, and more.

You’ll find the full changelog below

Deprecations ¶

Ajax ¶

Do not execute scripts for unsuccessful HTTP responses (#4250, #4655, da3dd85b)
Overwrite s.contentType with content-type header value, if any (#4119, 065143c2)
Deprecate AJAX event aliases, inline event/alias into deprecated ( 7a3cf9c0 )

Slim build ¶

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests.

And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules.

The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:

           https://code.jquery.com/jquery-3.5.0.slim.js

https://code.jquery.com/jquery-3.5.0.slim.min.js

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/ .

Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.