CINXE.COM

<!DOCTYPE html> <html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefetch" href="https://github.githubassets.com"> <link rel="dns-prefetch" href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="https://avatars.githubusercontent.com"> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/light-3e154969b9f9.css" /><link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/dark-9c5b7a476542.css" /><link data-color-theme="dark_dimmed" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_dimmed-afda8eb0fb33.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-2494e44ccdc5.css" /><link data-color-theme="dark_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_colorblind-56fff47acadc.css" /><link data-color-theme="light_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_colorblind-71cd4cc132ec.css" /><link data-color-theme="light_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-fd5499848985.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-31d17ba3e139.css" /><link data-color-theme="dark_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_tritanopia-68d6b2c79663.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-primitives-4cf0d59ab51a.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-af846850481e.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-8b10f05a77e6.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/github-2f6e722088eb.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/repository-9c77ed90200e.css" /> <script type="application/json" id="client-env">{"locale":"en","featureFlags":["copilot_new_references_ui","copilot_beta_features_opt_in","copilot_chat_static_thread_suggestions","copilot_conversational_ux_history_refs","copilot_implicit_context","copilot_smell_icebreaker_ux","experimentation_azure_variant_endpoint","failbot_handle_non_errors","geojson_azure_maps","ghost_pilot_confidence_truncation_25","ghost_pilot_confidence_truncation_40","hovercard_accessibility","issues_react_new_timeline","issues_react_avatar_refactor","issues_react_remove_placeholders","issues_react_blur_item_picker_on_close","marketing_pages_search_explore_provider","react_keyboard_shortcuts_dialog","remove_child_patch","sample_network_conn_type","site_metered_billing_update","issues_react_first_time_contribution_banner","lifecycle_label_name_updates"]}</script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/wp-runtime-6657579a8825.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-b73fdff77a4e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-aff936e590ed.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-polyfill_js-node_modules_github_mi-247092-740e4ddd559d.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_failbot_failbot_ts-93b6a0551aa9.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-cd35650c2e9c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_index_mjs-4aa4b0e95669.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_js-f690fd9ae3d5.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_js-6d3967acd51c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_combobox-nav_dist_index_js-node_modules_github_g-emoji-element_di-6ce195-53781cbc550f.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_catalyst_-6afc16-3cdfa69a0406.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_js-f5498b8d4e5d.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-b5f1d7-492b5042c841.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_stacktrace-parser_dist_s-1f651a-1e3d784c897c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_primer_view-co-7671f1-dc6cac136d88.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/github-elements-71486356f507.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-e3ab8405ef80.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser-detection_js-node_modules_githu-bb80ec-634de60bacfa.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-ce7225a304c5.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_hydro-analytics-client_dist_analytics-client_js-node_modules_gith-f3aee1-e6893db9c19e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_morphdom_dist_morphdom-e-7c534c-f8a5485c982a.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-858e043fcf76.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-893f9f-6cf3320416b8.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_esm_js-node_modules_stacktrace-pa-a71630-6f3c4f0189d8.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-node_modules_github_session-resume_-0b5e12-889cec8cf448.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-eae9df0dd562.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_modules_github_sso_ts-ui_packages-900dde-18d1c91a7872.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-7cbef09a422c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_modules_github_behaviors_include-d0d0a6-0e9fa537dc4f.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-c89801ebbe15.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/behaviors-a6e4c4c86bfa.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modules_github_catalyst_lib_index_js-f6223d90c7ba.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/notifications-global-3366f6b6298e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modules_github_hotkey_dist_index_js-d92e69b3521a.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_github_remote-form_dist_-b96a6a-a89a51d7b98e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_form-utils_form-utils_ts-ui_packages_input-navigation-behavior_input-navigation-b-a97423-97468312ad00.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/issues-d8e5240e0d8e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/structured-issues-eb321c77cee9.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/primer-react-765944243383.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-core-cd0a67881543.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-lib-7b7b5264f6c1.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/octicons-react-45c3a19dd792.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_tanstack_query-core_build_modern_queryClient_js-e40bb86d3e93.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_emotion_is-prop-valid_dist_emotion-is-prop-valid_esm_js-node_modules_emo-37e3d5-31653d7f2342.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_stacktrace-parser_dist_s-e7dcdd-285fc29e9fa5.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover-fn_js-4896ddd4b7bb.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/notifications-subscriptions-menu-3eda30673b32.js"></script> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.9fa170e9435ed4b922b9.module.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/notifications-subscriptions-menu.1bcff9205c241e99cff2.module.css" /> <title>Have Trusted Types API built directly into the jQuery Core Files · Issue #4409 · jquery/jquery · GitHub</title> <meta name="route-pattern" content="/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)" data-turbo-transient> <meta name="route-controller" content="voltron_issues_fragments" data-turbo-transient> <meta name="route-action" content="issue_layout" data-turbo-transient> <meta name="current-catalog-service-hash" content="81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114"> <meta name="request-id" content="B85A:32DFF7:503DA0:5C515B:67490AE9" data-pjax-transient="true"/><meta name="html-safe-nonce" content="5bf0afb8d57222dfab2a664c66cc0eb1d1ba24fc9dd76a34894479eed6599e3c" data-pjax-transient="true"/><meta name="visitor-payload" content="eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCODVBOjMyREZGNzo1MDNEQTA6NUM1MTVCOjY3NDkwQUU5IiwidmlzaXRvcl9pZCI6IjMzNDcwNjY3Nzg1NTUwNTg5MjEiLCJyZWdpb25fZWRnZSI6InNvdXRoZWFzdGFzaWEiLCJyZWdpb25fcmVuZGVyIjoic291dGhlYXN0YXNpYSJ9" data-pjax-transient="true"/><meta name="visitor-hmac" content="ca2c0199df66fdd7db0613083c88f15ec1a4756b25f4f5277bd6aebeb4152e5f" data-pjax-transient="true"/> <meta name="hovercard-subject-tag" content="issue:448964638" data-turbo-transient> <meta name="github-keyboard-shortcuts" content="repository,issues,copilot" data-turbo-transient="true" /> <meta name="selected-link" value="repo_issues" data-turbo-transient> <link rel="assets" href="https://github.githubassets.com/"> <meta name="google-site-verification" content="Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I"> <meta name="octolytics-url" content="https://collector.github.com/github/collect" /> <meta name="analytics-location" content="/<user-name>/<repo-name>/voltron/issues_fragments/issue_layout" data-turbo-transient="true" /> <meta name="user-login" content=""> <meta name="viewport" content="width=device-width"> <meta name="description" content="The latest version of jQuery V3.4.1 has 5 innerHTML() which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Trusted Types API see here: https://github...."> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub"> <link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub"> <meta property="fb:app_id" content="1401488693436528"> <meta name="apple-itunes-app" content="app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/jquery/jquery/4409/issue_layout" /> <meta name="twitter:image" content="https://opengraph.githubassets.com/87149afd35df065737dc406e0a13bad2f64cdfd69c91b10971e7331ba8af64f5/jquery/jquery/issues/4409" /><meta name="twitter:site" content="@github" /><meta name="twitter:card" content="summary_large_image" /><meta name="twitter:title" content="Have Trusted Types API built directly into the jQuery Core Files · Issue #4409 · jquery/jquery" /><meta name="twitter:description" content="The latest version of jQuery V3.4.1 has 5 innerHTML() which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Tru..." /> <meta property="og:image" content="https://opengraph.githubassets.com/87149afd35df065737dc406e0a13bad2f64cdfd69c91b10971e7331ba8af64f5/jquery/jquery/issues/4409" /><meta property="og:image:alt" content="The latest version of jQuery V3.4.1 has 5 innerHTML() which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Tru..." /><meta property="og:image:width" content="1200" /><meta property="og:image:height" content="600" /><meta property="og:site_name" content="GitHub" /><meta property="og:type" content="object" /><meta property="og:title" content="Have Trusted Types API built directly into the jQuery Core Files · Issue #4409 · jquery/jquery" /><meta property="og:url" content="https://github.com/jquery/jquery/issues/4409" /><meta property="og:description" content="The latest version of jQuery V3.4.1 has 5 innerHTML() which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Tru..." /> <meta name="hostname" content="github.com"> <meta name="expected-hostname" content="github.com"> <meta http-equiv="x-pjax-version" content="0361a11d6ba7285e98ad3340b1de5998c1adf9be672ff350e645684a12c5ff34" data-turbo-track="reload"> <meta http-equiv="x-pjax-csp-version" content="ace39c3b6632770952207593607e6e0be0db363435a8b877b1f96abe6430f345" data-turbo-track="reload"> <meta http-equiv="x-pjax-css-version" content="3adbaefc258174e49a9472f62ba4ed262e7c0112f9e7266a3e927bd7b898716f" data-turbo-track="reload"> <meta http-equiv="x-pjax-js-version" content="58069173ba3ee40a605f317588f70346d3cda2c3c32d767dd6d2909bbe343612" data-turbo-track="reload"> <meta name="turbo-cache-control" content="no-preview" data-turbo-transient=""> <meta name="voltron-timing" value="1427"> <meta name="go-import" content="github.com/jquery/jquery git https://github.com/jquery/jquery.git"> <meta name="octolytics-dimension-user_id" content="70142" /><meta name="octolytics-dimension-user_login" content="jquery" /><meta name="octolytics-dimension-repository_id" content="167174" /><meta name="octolytics-dimension-repository_nwo" content="jquery/jquery" /><meta name="octolytics-dimension-repository_public" content="true" /><meta name="octolytics-dimension-repository_is_fork" content="false" /><meta name="octolytics-dimension-repository_network_root_id" content="167174" /><meta name="octolytics-dimension-repository_network_root_nwo" content="jquery/jquery" /> <meta name="turbo-body-classes" content="logged-out env-production page-responsive"> <meta name="browser-stats-url" content="https://api.github.com/_private/browser/stats"> <meta name="browser-errors-url" content="https://api.github.com/_private/browser/errors"> <link rel="mask-icon" href="https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg" color="#000000"> <link rel="alternate icon" class="js-site-favicon" type="image/png" href="https://github.githubassets.com/favicons/favicon.png"> <link rel="icon" class="js-site-favicon" type="image/svg+xml" href="https://github.githubassets.com/favicons/favicon.svg" data-base-href="https://github.githubassets.com/favicons/favicon"> <meta name="theme-color" content="#1e2327"> <meta name="color-scheme" content="light dark" /> <link rel="manifest" href="/manifest.json" crossOrigin="use-credentials"> </head> <body class="logged-out env-production page-responsive" style="word-wrap: break-word;"> <div data-turbo-body class="logged-out env-production page-responsive" style="word-wrap: break-word;"> <div class="position-relative header-wrapper js-header-wrapper "> <a href="#start-of-content" data-skip-target-assigned="false" class="px-2 py-4 color-bg-accent-emphasis color-fg-on-emphasis show-on-focus js-skip-to-content">Skip to content</a> <span data-view-component="true" class="progress-pjax-loader Progress position-fixed width-full"> <span style="width: 0%;" data-view-component="true" class="Progress-item progress-pjax-loader-bar left-0 top-0 color-bg-accent-emphasis"></span> </span> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/primer-react-765944243383.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-core-cd0a67881543.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-lib-7b7b5264f6c1.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/octicons-react-45c3a19dd792.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_tanstack_query-core_build_modern_queryClient_js-e40bb86d3e93.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_emotion_is-prop-valid_dist_emotion-is-prop-valid_esm_js-node_modules_emo-37e3d5-31653d7f2342.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_stacktrace-parser_dist_s-e7dcdd-285fc29e9fa5.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover-fn_js-4896ddd4b7bb.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/keyboard-shortcuts-dialog-f3cc184507a7.js"></script> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.9fa170e9435ed4b922b9.module.css" /> <react-partial partial-name="keyboard-shortcuts-dialog" data-ssr="false" data-attempted-ssr="false" > <script type="application/json" data-target="react-partial.embeddedData">{"props":{"docsUrl":"https://docs.github.com/get-started/accessibility/keyboard-shortcuts"}}</script> <div data-target="react-partial.reactRoot"></div> </react-partial> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-94fd67-cf3dd69d89eb.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/sessions-8fa3b694f335.js"></script> <header class="HeaderMktg header-logged-out js-details-container js-header Details f4 py-3" role="banner" data-is-top="true" data-color-mode=light data-light-theme=light data-dark-theme=dark> <h2 class="sr-only">Navigation Menu</h2> <button type="button" class="HeaderMktg-backdrop d-lg-none border-0 position-fixed top-0 left-0 width-full height-full js-details-target" aria-label="Toggle navigation"> <span class="d-none">Toggle navigation</span> </button> <div class="d-flex flex-column flex-lg-row flex-items-center px-3 px-md-4 px-lg-5 height-full position-relative z-1"> <div class="d-flex flex-justify-between flex-items-center width-full width-lg-auto"> <div class="flex-1"> <button aria-label="Toggle navigation" aria-expanded="false" type="button" data-view-component="true" class="js-details-target js-nav-padding-recalculate js-header-menu-toggle Button--link Button--medium Button d-lg-none color-fg-inherit p-1"> <span class="Button-content"> <span class="Button-label"><div class="HeaderMenu-toggle-bar rounded my-1"></div> <div class="HeaderMenu-toggle-bar rounded my-1"></div> <div class="HeaderMenu-toggle-bar rounded my-1"></div></span> </span> </button> </div> <a class="mr-lg-3 color-fg-inherit flex-order-2 js-prevent-focus-on-mobile-nav" href="/" aria-label="Homepage" data-analytics-event="{"category":"Marketing nav","action":"click to go to homepage","label":"ref_page:Marketing;ref_cta:Logomark;ref_loc:Header"}"> <svg height="32" aria-hidden="true" viewBox="0 0 24 24" version="1.1" width="32" data-view-component="true" class="octicon octicon-mark-github"> <path d="M12.5.75C6.146.75 1 5.896 1 12.25c0 5.089 3.292 9.387 7.863 10.91.575.101.79-.244.79-.546 0-.273-.014-1.178-.014-2.142-2.889.532-3.636-.704-3.866-1.35-.13-.331-.69-1.352-1.18-1.625-.402-.216-.977-.748-.014-.762.906-.014 1.553.834 1.769 1.179 1.035 1.74 2.688 1.25 3.349.948.1-.747.402-1.25.733-1.538-2.559-.287-5.232-1.279-5.232-5.678 0-1.25.445-2.285 1.178-3.09-.115-.288-.517-1.467.115-3.048 0 0 .963-.302 3.163 1.179.92-.259 1.897-.388 2.875-.388.977 0 1.955.13 2.875.388 2.2-1.495 3.162-1.179 3.162-1.179.633 1.581.23 2.76.115 3.048.733.805 1.179 1.825 1.179 3.09 0 4.413-2.688 5.39-5.247 5.678.417.36.776 1.05.776 2.128 0 1.538-.014 2.774-.014 3.162 0 .302.216.662.79.547C20.709 21.637 24 17.324 24 12.25 24 5.896 18.854.75 12.5.75Z"></path> </svg> </a> <div class="flex-1 flex-order-2 text-right"> <a href="/login?return_to=https%3A%2F%2Fgithub.com%2Fjquery%2Fjquery%2Fissues%2F4409" class="HeaderMenu-link HeaderMenu-button d-inline-flex d-lg-none flex-order-1 f5 no-underline border color-border-default rounded-2 px-2 py-1 color-fg-inherit js-prevent-focus-on-mobile-nav" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="91fe95885fcccbe72a3238c38854f85495467221324bd0e23e049e77c21c48a4" data-analytics-event="{"category":"Marketing nav","action":"click to Sign in","label":"ref_page:Marketing;ref_cta:Sign in;ref_loc:Header"}" > Sign in </a> </div> </div> <div class="HeaderMenu js-header-menu height-fit position-lg-relative d-lg-flex flex-column flex-auto top-0"> <div class="HeaderMenu-wrapper d-flex flex-column flex-self-start flex-lg-row flex-auto rounded rounded-lg-0"> <nav class="HeaderMenu-nav" aria-label="Global"> <ul class="d-lg-flex list-style-none"> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Product <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"github_copilot","context":"product","tag":"link","label":"github_copilot_link_product_navbar"}" href="https://github.com/features/copilot"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-copilot color-fg-subtle mr-3"> <path d="M23.922 16.992c-.861 1.495-5.859 5.023-11.922 5.023-6.063 0-11.061-3.528-11.922-5.023A.641.641 0 0 1 0 16.736v-2.869a.841.841 0 0 1 .053-.22c.372-.935 1.347-2.292 2.605-2.656.167-.429.414-1.055.644-1.517a10.195 10.195 0 0 1-.052-1.086c0-1.331.282-2.499 1.132-3.368.397-.406.89-.717 1.474-.952 1.399-1.136 3.392-2.093 6.122-2.093 2.731 0 4.767.957 6.166 2.093.584.235 1.077.546 1.474.952.85.869 1.132 2.037 1.132 3.368 0 .368-.014.733-.052 1.086.23.462.477 1.088.644 1.517 1.258.364 2.233 1.721 2.605 2.656a.832.832 0 0 1 .053.22v2.869a.641.641 0 0 1-.078.256ZM12.172 11h-.344a4.323 4.323 0 0 1-.355.508C10.703 12.455 9.555 13 7.965 13c-1.725 0-2.989-.359-3.782-1.259a2.005 2.005 0 0 1-.085-.104L4 11.741v6.585c1.435.779 4.514 2.179 8 2.179 3.486 0 6.565-1.4 8-2.179v-6.585l-.098-.104s-.033.045-.085.104c-.793.9-2.057 1.259-3.782 1.259-1.59 0-2.738-.545-3.508-1.492a4.323 4.323 0 0 1-.355-.508h-.016.016Zm.641-2.935c.136 1.057.403 1.913.878 2.497.442.544 1.134.938 2.344.938 1.573 0 2.292-.337 2.657-.751.384-.435.558-1.15.558-2.361 0-1.14-.243-1.847-.705-2.319-.477-.488-1.319-.862-2.824-1.025-1.487-.161-2.192.138-2.533.529-.269.307-.437.808-.438 1.578v.021c0 .265.021.562.063.893Zm-1.626 0c.042-.331.063-.628.063-.894v-.02c-.001-.77-.169-1.271-.438-1.578-.341-.391-1.046-.69-2.533-.529-1.505.163-2.347.537-2.824 1.025-.462.472-.705 1.179-.705 2.319 0 1.211.175 1.926.558 2.361.365.414 1.084.751 2.657.751 1.21 0 1.902-.394 2.344-.938.475-.584.742-1.44.878-2.497Z"></path><path d="M14.5 14.25a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Zm-5 0a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Z"></path> </svg> <div> <div class="color-fg-default h4">GitHub Copilot</div> Write better code with AI </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"security","context":"product","tag":"link","label":"security_link_product_navbar"}" href="https://github.com/features/security"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-shield-check color-fg-subtle mr-3"> <path d="M16.53 9.78a.75.75 0 0 0-1.06-1.06L11 13.19l-1.97-1.97a.75.75 0 0 0-1.06 1.06l2.5 2.5a.75.75 0 0 0 1.06 0l5-5Z"></path><path d="m12.54.637 8.25 2.675A1.75 1.75 0 0 1 22 4.976V10c0 6.19-3.771 10.704-9.401 12.83a1.704 1.704 0 0 1-1.198 0C5.77 20.705 2 16.19 2 10V4.976c0-.758.489-1.43 1.21-1.664L11.46.637a1.748 1.748 0 0 1 1.08 0Zm-.617 1.426-8.25 2.676a.249.249 0 0 0-.173.237V10c0 5.46 3.28 9.483 8.43 11.426a.199.199 0 0 0 .14 0C17.22 19.483 20.5 15.461 20.5 10V4.976a.25.25 0 0 0-.173-.237l-8.25-2.676a.253.253 0 0 0-.154 0Z"></path> </svg> <div> <div class="color-fg-default h4">Security</div> Find and fix vulnerabilities </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"actions","context":"product","tag":"link","label":"actions_link_product_navbar"}" href="https://github.com/features/actions"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-workflow color-fg-subtle mr-3"> <path d="M1 3a2 2 0 0 1 2-2h6.5a2 2 0 0 1 2 2v6.5a2 2 0 0 1-2 2H7v4.063C7 16.355 7.644 17 8.438 17H12.5v-2.5a2 2 0 0 1 2-2H21a2 2 0 0 1 2 2V21a2 2 0 0 1-2 2h-6.5a2 2 0 0 1-2-2v-2.5H8.437A2.939 2.939 0 0 1 5.5 15.562V11.5H3a2 2 0 0 1-2-2Zm2-.5a.5.5 0 0 0-.5.5v6.5a.5.5 0 0 0 .5.5h6.5a.5.5 0 0 0 .5-.5V3a.5.5 0 0 0-.5-.5ZM14.5 14a.5.5 0 0 0-.5.5V21a.5.5 0 0 0 .5.5H21a.5.5 0 0 0 .5-.5v-6.5a.5.5 0 0 0-.5-.5Z"></path> </svg> <div> <div class="color-fg-default h4">Actions</div> Automate any workflow </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"codespaces","context":"product","tag":"link","label":"codespaces_link_product_navbar"}" href="https://github.com/features/codespaces"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-codespaces color-fg-subtle mr-3"> <path d="M3.5 3.75C3.5 2.784 4.284 2 5.25 2h13.5c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 18.75 13H5.25a1.75 1.75 0 0 1-1.75-1.75Zm-2 12c0-.966.784-1.75 1.75-1.75h17.5c.966 0 1.75.784 1.75 1.75v4a1.75 1.75 0 0 1-1.75 1.75H3.25a1.75 1.75 0 0 1-1.75-1.75ZM5.25 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h13.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Zm-2 12a.25.25 0 0 0-.25.25v4c0 .138.112.25.25.25h17.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25Z"></path><path d="M10 17.75a.75.75 0 0 1 .75-.75h6.5a.75.75 0 0 1 0 1.5h-6.5a.75.75 0 0 1-.75-.75Zm-4 0a.75.75 0 0 1 .75-.75h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1-.75-.75Z"></path> </svg> <div> <div class="color-fg-default h4">Codespaces</div> Instant dev environments </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"issues","context":"product","tag":"link","label":"issues_link_product_navbar"}" href="https://github.com/features/issues"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-issue-opened color-fg-subtle mr-3"> <path d="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Zm9.5 2a2 2 0 1 1-.001-3.999A2 2 0 0 1 12 14Z"></path> </svg> <div> <div class="color-fg-default h4">Issues</div> Plan and track work </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"code_review","context":"product","tag":"link","label":"code_review_link_product_navbar"}" href="https://github.com/features/code-review"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-code-review color-fg-subtle mr-3"> <path d="M10.3 6.74a.75.75 0 0 1-.04 1.06l-2.908 2.7 2.908 2.7a.75.75 0 1 1-1.02 1.1l-3.5-3.25a.75.75 0 0 1 0-1.1l3.5-3.25a.75.75 0 0 1 1.06.04Zm3.44 1.06a.75.75 0 1 1 1.02-1.1l3.5 3.25a.75.75 0 0 1 0 1.1l-3.5 3.25a.75.75 0 1 1-1.02-1.1l2.908-2.7-2.908-2.7Z"></path><path d="M1.5 4.25c0-.966.784-1.75 1.75-1.75h17.5c.966 0 1.75.784 1.75 1.75v12.5a1.75 1.75 0 0 1-1.75 1.75h-9.69l-3.573 3.573A1.458 1.458 0 0 1 5 21.043V18.5H3.25a1.75 1.75 0 0 1-1.75-1.75ZM3.25 4a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h2.5a.75.75 0 0 1 .75.75v3.19l3.72-3.72a.749.749 0 0 1 .53-.22h10a.25.25 0 0 0 .25-.25V4.25a.25.25 0 0 0-.25-.25Z"></path> </svg> <div> <div class="color-fg-default h4">Code Review</div> Manage code changes </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"discussions","context":"product","tag":"link","label":"discussions_link_product_navbar"}" href="https://github.com/features/discussions"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-comment-discussion color-fg-subtle mr-3"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> <div> <div class="color-fg-default h4">Discussions</div> Collaborate outside of code </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"code_search","context":"product","tag":"link","label":"code_search_link_product_navbar"}" href="https://github.com/features/code-search"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-code-square color-fg-subtle mr-3"> <path d="M10.3 8.24a.75.75 0 0 1-.04 1.06L7.352 12l2.908 2.7a.75.75 0 1 1-1.02 1.1l-3.5-3.25a.75.75 0 0 1 0-1.1l3.5-3.25a.75.75 0 0 1 1.06.04Zm3.44 1.06a.75.75 0 1 1 1.02-1.1l3.5 3.25a.75.75 0 0 1 0 1.1l-3.5 3.25a.75.75 0 1 1-1.02-1.1l2.908-2.7-2.908-2.7Z"></path><path d="M2 3.75C2 2.784 2.784 2 3.75 2h16.5c.966 0 1.75.784 1.75 1.75v16.5A1.75 1.75 0 0 1 20.25 22H3.75A1.75 1.75 0 0 1 2 20.25Zm1.75-.25a.25.25 0 0 0-.25.25v16.5c0 .138.112.25.25.25h16.5a.25.25 0 0 0 .25-.25V3.75a.25.25 0 0 0-.25-.25Z"></path> </svg> <div> <div class="color-fg-default h4">Code Search</div> Find more, search less </div> </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="product-explore-heading">Explore</span> <ul class="list-style-none f5" aria-labelledby="product-explore-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"all_features","context":"product","tag":"link","label":"all_features_link_product_navbar"}" href="https://github.com/features"> All features </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"documentation","context":"product","tag":"link","label":"documentation_link_product_navbar"}" href="https://docs.github.com"> Documentation <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"github_skills","context":"product","tag":"link","label":"github_skills_link_product_navbar"}" href="https://skills.github.com"> GitHub Skills <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"blog","context":"product","tag":"link","label":"blog_link_product_navbar"}" href="https://github.blog"> Blog <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Solutions <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 pb-lg-3 mb-3 mb-lg-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-company-size-heading">By company size</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-company-size-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"enterprises","context":"solutions","tag":"link","label":"enterprises_link_solutions_navbar"}" href="https://github.com/enterprise"> Enterprises </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"small_and_medium_teams","context":"solutions","tag":"link","label":"small_and_medium_teams_link_solutions_navbar"}" href="https://github.com/team"> Small and medium teams </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"startups","context":"solutions","tag":"link","label":"startups_link_solutions_navbar"}" href="https://github.com/enterprise/startups"> Startups </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-use-case-heading">By use case</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-use-case-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devsecops","context":"solutions","tag":"link","label":"devsecops_link_solutions_navbar"}" href="/solutions/use-case/devsecops"> DevSecOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devops","context":"solutions","tag":"link","label":"devops_link_solutions_navbar"}" href="/solutions/use-case/devops"> DevOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"ci_cd","context":"solutions","tag":"link","label":"ci_cd_link_solutions_navbar"}" href="/solutions/use-case/ci-cd"> CI/CD </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all_use_cases","context":"solutions","tag":"link","label":"view_all_use_cases_link_solutions_navbar"}" href="/solutions/use-case"> View all use cases </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-industry-heading">By industry</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-industry-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"healthcare","context":"solutions","tag":"link","label":"healthcare_link_solutions_navbar"}" href="/solutions/industry/healthcare"> Healthcare </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"financial_services","context":"solutions","tag":"link","label":"financial_services_link_solutions_navbar"}" href="/solutions/industry/financial-services"> Financial services </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"manufacturing","context":"solutions","tag":"link","label":"manufacturing_link_solutions_navbar"}" href="/solutions/industry/manufacturing"> Manufacturing </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"government","context":"solutions","tag":"link","label":"government_link_solutions_navbar"}" href="/solutions/industry/government"> Government </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all_industries","context":"solutions","tag":"link","label":"view_all_industries_link_solutions_navbar"}" href="/solutions/industry"> View all industries </a></li> </ul> </div> </div> <div class="HeaderMenu-trailing-link rounded-bottom-2 flex-shrink-0 mt-lg-4 px-lg-4 py-4 py-lg-3 f5 text-semibold"> <a href="/solutions"> View all solutions <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-right HeaderMenu-trailing-link-icon"> <path d="M6.22 3.22a.75.75 0 0 1 1.06 0l4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L9.94 8 6.22 4.28a.75.75 0 0 1 0-1.06Z"></path> </svg> </a> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Resources <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="resources-topics-heading">Topics</span> <ul class="list-style-none f5" aria-labelledby="resources-topics-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"ai","context":"resources","tag":"link","label":"ai_link_resources_navbar"}" href="/resources/articles/ai"> AI </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devops","context":"resources","tag":"link","label":"devops_link_resources_navbar"}" href="/resources/articles/devops"> DevOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"security","context":"resources","tag":"link","label":"security_link_resources_navbar"}" href="/resources/articles/security"> Security </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"software_development","context":"resources","tag":"link","label":"software_development_link_resources_navbar"}" href="/resources/articles/software-development"> Software Development </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all","context":"resources","tag":"link","label":"view_all_link_resources_navbar"}" href="/resources/articles"> View all </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="resources-explore-heading">Explore</span> <ul class="list-style-none f5" aria-labelledby="resources-explore-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"learning_pathways","context":"resources","tag":"link","label":"learning_pathways_link_resources_navbar"}" href="https://resources.github.com/learn/pathways"> Learning Pathways <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"white_papers_ebooks_webinars","context":"resources","tag":"link","label":"white_papers_ebooks_webinars_link_resources_navbar"}" href="https://resources.github.com"> White papers, Ebooks, Webinars <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"customer_stories","context":"resources","tag":"link","label":"customer_stories_link_resources_navbar"}" href="https://github.com/customer-stories"> Customer Stories </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"partners","context":"resources","tag":"link","label":"partners_link_resources_navbar"}" href="https://partner.github.com"> Partners <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Open Source <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 px-lg-4"> <div class="HeaderMenu-column"> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"github_sponsors","context":"open_source","tag":"link","label":"github_sponsors_link_open_source_navbar"}" href="/sponsors"> <div> <div class="color-fg-default h4">GitHub Sponsors</div> Fund open source developers </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"the_readme_project","context":"open_source","tag":"link","label":"the_readme_project_link_open_source_navbar"}" href="https://github.com/readme"> <div> <div class="color-fg-default h4">The ReadME Project</div> GitHub community articles </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="open-source-repositories-heading">Repositories</span> <ul class="list-style-none f5" aria-labelledby="open-source-repositories-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"topics","context":"open_source","tag":"link","label":"topics_link_open_source_navbar"}" href="https://github.com/topics"> Topics </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"trending","context":"open_source","tag":"link","label":"trending_link_open_source_navbar"}" href="https://github.com/trending"> Trending </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"collections","context":"open_source","tag":"link","label":"collections_link_open_source_navbar"}" href="https://github.com/collections"> Collections </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Enterprise <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 px-lg-4"> <div class="HeaderMenu-column"> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"enterprise_platform","context":"enterprise","tag":"link","label":"enterprise_platform_link_enterprise_navbar"}" href="/enterprise"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-stack color-fg-subtle mr-3"> <path d="M11.063 1.456a1.749 1.749 0 0 1 1.874 0l8.383 5.316a1.751 1.751 0 0 1 0 2.956l-8.383 5.316a1.749 1.749 0 0 1-1.874 0L2.68 9.728a1.751 1.751 0 0 1 0-2.956Zm1.071 1.267a.25.25 0 0 0-.268 0L3.483 8.039a.25.25 0 0 0 0 .422l8.383 5.316a.25.25 0 0 0 .268 0l8.383-5.316a.25.25 0 0 0 0-.422Z"></path><path d="M1.867 12.324a.75.75 0 0 1 1.035-.232l8.964 5.685a.25.25 0 0 0 .268 0l8.964-5.685a.75.75 0 0 1 .804 1.267l-8.965 5.685a1.749 1.749 0 0 1-1.874 0l-8.965-5.685a.75.75 0 0 1-.231-1.035Z"></path><path d="M1.867 16.324a.75.75 0 0 1 1.035-.232l8.964 5.685a.25.25 0 0 0 .268 0l8.964-5.685a.75.75 0 0 1 .804 1.267l-8.965 5.685a1.749 1.749 0 0 1-1.874 0l-8.965-5.685a.75.75 0 0 1-.231-1.035Z"></path> </svg> <div> <div class="color-fg-default h4">Enterprise platform</div> AI-powered developer platform </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="enterprise-available-add-ons-heading">Available add-ons</span> <ul class="list-style-none f5" aria-labelledby="enterprise-available-add-ons-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"advanced_security","context":"enterprise","tag":"link","label":"advanced_security_link_enterprise_navbar"}" href="https://github.com/enterprise/advanced-security"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-shield-check color-fg-subtle mr-3"> <path d="M16.53 9.78a.75.75 0 0 0-1.06-1.06L11 13.19l-1.97-1.97a.75.75 0 0 0-1.06 1.06l2.5 2.5a.75.75 0 0 0 1.06 0l5-5Z"></path><path d="m12.54.637 8.25 2.675A1.75 1.75 0 0 1 22 4.976V10c0 6.19-3.771 10.704-9.401 12.83a1.704 1.704 0 0 1-1.198 0C5.77 20.705 2 16.19 2 10V4.976c0-.758.489-1.43 1.21-1.664L11.46.637a1.748 1.748 0 0 1 1.08 0Zm-.617 1.426-8.25 2.676a.249.249 0 0 0-.173.237V10c0 5.46 3.28 9.483 8.43 11.426a.199.199 0 0 0 .14 0C17.22 19.483 20.5 15.461 20.5 10V4.976a.25.25 0 0 0-.173-.237l-8.25-2.676a.253.253 0 0 0-.154 0Z"></path> </svg> <div> <div class="color-fg-default h4">Advanced Security</div> Enterprise-grade security features </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"github_copilot","context":"enterprise","tag":"link","label":"github_copilot_link_enterprise_navbar"}" href="/features/copilot#enterprise"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-copilot color-fg-subtle mr-3"> <path d="M23.922 16.992c-.861 1.495-5.859 5.023-11.922 5.023-6.063 0-11.061-3.528-11.922-5.023A.641.641 0 0 1 0 16.736v-2.869a.841.841 0 0 1 .053-.22c.372-.935 1.347-2.292 2.605-2.656.167-.429.414-1.055.644-1.517a10.195 10.195 0 0 1-.052-1.086c0-1.331.282-2.499 1.132-3.368.397-.406.89-.717 1.474-.952 1.399-1.136 3.392-2.093 6.122-2.093 2.731 0 4.767.957 6.166 2.093.584.235 1.077.546 1.474.952.85.869 1.132 2.037 1.132 3.368 0 .368-.014.733-.052 1.086.23.462.477 1.088.644 1.517 1.258.364 2.233 1.721 2.605 2.656a.832.832 0 0 1 .053.22v2.869a.641.641 0 0 1-.078.256ZM12.172 11h-.344a4.323 4.323 0 0 1-.355.508C10.703 12.455 9.555 13 7.965 13c-1.725 0-2.989-.359-3.782-1.259a2.005 2.005 0 0 1-.085-.104L4 11.741v6.585c1.435.779 4.514 2.179 8 2.179 3.486 0 6.565-1.4 8-2.179v-6.585l-.098-.104s-.033.045-.085.104c-.793.9-2.057 1.259-3.782 1.259-1.59 0-2.738-.545-3.508-1.492a4.323 4.323 0 0 1-.355-.508h-.016.016Zm.641-2.935c.136 1.057.403 1.913.878 2.497.442.544 1.134.938 2.344.938 1.573 0 2.292-.337 2.657-.751.384-.435.558-1.15.558-2.361 0-1.14-.243-1.847-.705-2.319-.477-.488-1.319-.862-2.824-1.025-1.487-.161-2.192.138-2.533.529-.269.307-.437.808-.438 1.578v.021c0 .265.021.562.063.893Zm-1.626 0c.042-.331.063-.628.063-.894v-.02c-.001-.77-.169-1.271-.438-1.578-.341-.391-1.046-.69-2.533-.529-1.505.163-2.347.537-2.824 1.025-.462.472-.705 1.179-.705 2.319 0 1.211.175 1.926.558 2.361.365.414 1.084.751 2.657.751 1.21 0 1.902-.394 2.344-.938.475-.584.742-1.44.878-2.497Z"></path><path d="M14.5 14.25a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Zm-5 0a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Z"></path> </svg> <div> <div class="color-fg-default h4">GitHub Copilot</div> Enterprise-grade AI features </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"premium_support","context":"enterprise","tag":"link","label":"premium_support_link_enterprise_navbar"}" href="/premium-support"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-comment-discussion color-fg-subtle mr-3"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> <div> <div class="color-fg-default h4">Premium Support</div> Enterprise-grade 24/7 support </div> </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <a class="HeaderMenu-link no-underline px-0 px-lg-2 py-3 py-lg-2 d-block d-lg-inline-block" data-analytics-event="{"location":"navbar","action":"pricing","context":"global","tag":"link","label":"pricing_link_global_navbar"}" href="https://github.com/pricing">Pricing</a> </li> </ul> </nav> <div class="d-flex flex-column flex-lg-row width-full flex-justify-end flex-lg-items-center text-center mt-3 mt-lg-0 text-lg-left ml-lg-3"> <qbsearch-input class="search-input" data-scope="repo:jquery/jquery" data-custom-scopes-path="/search/custom_scopes" data-delete-custom-scopes-csrf="oZyhOw31PRAJO1KsdB6M8VnGOAGfh0hh1VQaMyfibk8rRso0PMm8Hhau7g8Dhk37MvJES7T8k01SGCHNvx2asQ" data-max-custom-scopes="10" data-header-redesign-enabled="false" data-initial-value="" data-blackbird-suggestions-path="/search/suggestions" data-jump-to-suggestions-path="/_graphql/GetSuggestedNavigationDestinations" data-current-repository="jquery/jquery" data-current-org="jquery" data-current-owner="" data-logged-in="false" data-copilot-chat-enabled="false" data-nl-search-enabled="false" data-retain-scroll-position="true"> <div class="search-input-container search-with-dialog position-relative d-flex flex-row flex-items-center mr-4 rounded" data-action="click:qbsearch-input#searchInputContainerClicked" > <button type="button" class="header-search-button placeholder input-button form-control d-flex flex-1 flex-self-stretch flex-items-center no-wrap width-full py-0 pl-2 pr-0 text-left border-0 box-shadow-none" data-target="qbsearch-input.inputButton" aria-label="Search or jump to…" aria-haspopup="dialog" placeholder="Search or jump to..." data-hotkey=s,/ autocapitalize="off" data-analytics-event="{"location":"navbar","action":"searchbar","context":"global","tag":"input","label":"searchbar_input_global_navbar"}" data-action="click:qbsearch-input#handleExpand" > <div class="mr-2 color-fg-muted"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </div> <span class="flex-1" data-target="qbsearch-input.inputButtonText">Search or jump to...</span> <div class="d-flex" data-target="qbsearch-input.hotkeyIndicator"> <svg xmlns="http://www.w3.org/2000/svg" width="22" height="20" aria-hidden="true" class="mr-1"><path fill="none" stroke="#979A9C" opacity=".4" d="M3.5.5h12c1.7 0 3 1.3 3 3v13c0 1.7-1.3 3-3 3h-12c-1.7 0-3-1.3-3-3v-13c0-1.7 1.3-3 3-3z"></path><path fill="#979A9C" d="M11.8 6L8 15.1h-.9L10.8 6h1z"></path></svg> </div> </button> <input type="hidden" name="type" class="js-site-search-type-field"> <div class="Overlay--hidden " data-modal-dialog-overlay> <modal-dialog data-action="close:qbsearch-input#handleClose cancel:qbsearch-input#handleClose" data-target="qbsearch-input.searchSuggestionsDialog" role="dialog" id="search-suggestions-dialog" aria-modal="true" aria-labelledby="search-suggestions-dialog-header" data-view-component="true" class="Overlay Overlay--width-large Overlay--height-auto"> <h1 id="search-suggestions-dialog-header" class="sr-only">Search code, repositories, users, issues, pull requests...</h1> <div class="Overlay-body Overlay-body--paddingNone"> <div data-view-component="true"> <div class="search-suggestions position-fixed width-full color-shadow-large border color-fg-default color-bg-default overflow-hidden d-flex flex-column query-builder-container" style="border-radius: 12px;" data-target="qbsearch-input.queryBuilderContainer" hidden > </option></form><form id="query-builder-test-form" action="" accept-charset="UTF-8" method="get"> <query-builder data-target="qbsearch-input.queryBuilder" id="query-builder-query-builder-test" data-filter-key=":" data-view-component="true" class="QueryBuilder search-query-builder"> <div class="FormControl FormControl--fullWidth"> <label id="query-builder-test-label" for="query-builder-test" class="FormControl-label sr-only"> Search </label> <div class="QueryBuilder-StyledInput width-fit " data-target="query-builder.styledInput" > <span id="query-builder-test-leadingvisual-wrap" class="FormControl-input-leadingVisualWrap QueryBuilder-leadingVisualWrap"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search FormControl-input-leadingVisual"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </span> <div data-target="query-builder.styledInputContainer" class="QueryBuilder-StyledInputContainer"> <div aria-hidden="true" class="QueryBuilder-StyledInputContent" data-target="query-builder.styledInputContent" ></div> <div class="QueryBuilder-InputWrapper"> <div aria-hidden="true" class="QueryBuilder-Sizer" data-target="query-builder.sizer"></div> <input id="query-builder-test" name="query-builder-test" value="" autocomplete="off" type="text" role="combobox" spellcheck="false" aria-expanded="false" aria-describedby="validation-14b41df9-8cd2-4293-9e51-076bd798677b" data-target="query-builder.input" data-action=" input:query-builder#inputChange blur:query-builder#inputBlur keydown:query-builder#inputKeydown focus:query-builder#inputFocus " data-view-component="true" class="FormControl-input QueryBuilder-Input FormControl-medium" /> </div> </div> <span class="sr-only" id="query-builder-test-clear">Clear</span> <button role="button" id="query-builder-test-clear-button" aria-labelledby="query-builder-test-clear query-builder-test-label" data-target="query-builder.clearButton" data-action=" click:query-builder#clear focus:query-builder#clearButtonFocus blur:query-builder#clearButtonBlur " variant="small" hidden="hidden" type="button" data-view-component="true" class="Button Button--iconOnly Button--invisible Button--medium mr-1 px-2 py-0 d-flex flex-items-center rounded-1 color-fg-muted"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x-circle-fill Button-visual"> <path d="M2.343 13.657A8 8 0 1 1 13.658 2.343 8 8 0 0 1 2.343 13.657ZM6.03 4.97a.751.751 0 0 0-1.042.018.751.751 0 0 0-.018 1.042L6.94 8 4.97 9.97a.749.749 0 0 0 .326 1.275.749.749 0 0 0 .734-.215L8 9.06l1.97 1.97a.749.749 0 0 0 1.275-.326.749.749 0 0 0-.215-.734L9.06 8l1.97-1.97a.749.749 0 0 0-.326-1.275.749.749 0 0 0-.734.215L8 6.94Z"></path> </svg> </button> </div> <template id="search-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </template> <template id="code-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </template> <template id="file-code-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file-code"> <path d="M4 1.75C4 .784 4.784 0 5.75 0h5.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v8.586A1.75 1.75 0 0 1 14.25 15h-9a.75.75 0 0 1 0-1.5h9a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 10 4.25V1.5H5.75a.25.25 0 0 0-.25.25v2.5a.75.75 0 0 1-1.5 0Zm1.72 4.97a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l1.47-1.47-1.47-1.47a.75.75 0 0 1 0-1.06ZM3.28 7.78 1.81 9.25l1.47 1.47a.751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018l-2-2a.75.75 0 0 1 0-1.06l2-2a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Zm8.22-6.218V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path> </svg> </template> <template id="history-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-history"> <path d="m.427 1.927 1.215 1.215a8.002 8.002 0 1 1-1.6 5.685.75.75 0 1 1 1.493-.154 6.5 6.5 0 1 0 1.18-4.458l1.358 1.358A.25.25 0 0 1 3.896 6H.25A.25.25 0 0 1 0 5.75V2.104a.25.25 0 0 1 .427-.177ZM7.75 4a.75.75 0 0 1 .75.75v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5A.75.75 0 0 1 7.75 4Z"></path> </svg> </template> <template id="repo-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo"> <path d="M2 2.5A2.5 2.5 0 0 1 4.5 0h8.75a.75.75 0 0 1 .75.75v12.5a.75.75 0 0 1-.75.75h-2.5a.75.75 0 0 1 0-1.5h1.75v-2h-8a1 1 0 0 0-.714 1.7.75.75 0 1 1-1.072 1.05A2.495 2.495 0 0 1 2 11.5Zm10.5-1h-8a1 1 0 0 0-1 1v6.708A2.486 2.486 0 0 1 4.5 9h8ZM5 12.25a.25.25 0 0 1 .25-.25h3.5a.25.25 0 0 1 .25.25v3.25a.25.25 0 0 1-.4.2l-1.45-1.087a.249.249 0 0 0-.3 0L5.4 15.7a.25.25 0 0 1-.4-.2Z"></path> </svg> </template> <template id="bookmark-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bookmark"> <path d="M3 2.75C3 1.784 3.784 1 4.75 1h6.5c.966 0 1.75.784 1.75 1.75v11.5a.75.75 0 0 1-1.227.579L8 11.722l-3.773 3.107A.751.751 0 0 1 3 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v9.91l3.023-2.489a.75.75 0 0 1 .954 0l3.023 2.49V2.75a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="plus-circle-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-plus-circle"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7.25-3.25v2.5h2.5a.75.75 0 0 1 0 1.5h-2.5v2.5a.75.75 0 0 1-1.5 0v-2.5h-2.5a.75.75 0 0 1 0-1.5h2.5v-2.5a.75.75 0 0 1 1.5 0Z"></path> </svg> </template> <template id="circle-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-dot-fill"> <path d="M8 4a4 4 0 1 1 0 8 4 4 0 0 1 0-8Z"></path> </svg> </template> <template id="trash-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-trash"> <path d="M11 1.75V3h2.25a.75.75 0 0 1 0 1.5H2.75a.75.75 0 0 1 0-1.5H5V1.75C5 .784 5.784 0 6.75 0h2.5C10.216 0 11 .784 11 1.75ZM4.496 6.675l.66 6.6a.25.25 0 0 0 .249.225h5.19a.25.25 0 0 0 .249-.225l.66-6.6a.75.75 0 0 1 1.492.149l-.66 6.6A1.748 1.748 0 0 1 10.595 15h-5.19a1.75 1.75 0 0 1-1.741-1.575l-.66-6.6a.75.75 0 1 1 1.492-.15ZM6.5 1.75V3h3V1.75a.25.25 0 0 0-.25-.25h-2.5a.25.25 0 0 0-.25.25Z"></path> </svg> </template> <template id="team-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-people"> <path d="M2 5.5a3.5 3.5 0 1 1 5.898 2.549 5.508 5.508 0 0 1 3.034 4.084.75.75 0 1 1-1.482.235 4 4 0 0 0-7.9 0 .75.75 0 0 1-1.482-.236A5.507 5.507 0 0 1 3.102 8.05 3.493 3.493 0 0 1 2 5.5ZM11 4a3.001 3.001 0 0 1 2.22 5.018 5.01 5.01 0 0 1 2.56 3.012.749.749 0 0 1-.885.954.752.752 0 0 1-.549-.514 3.507 3.507 0 0 0-2.522-2.372.75.75 0 0 1-.574-.73v-.352a.75.75 0 0 1 .416-.672A1.5 1.5 0 0 0 11 5.5.75.75 0 0 1 11 4Zm-5.5-.5a2 2 0 1 0-.001 3.999A2 2 0 0 0 5.5 3.5Z"></path> </svg> </template> <template id="project-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-project"> <path d="M1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25V1.75C0 .784.784 0 1.75 0ZM1.5 1.75v12.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25ZM11.75 3a.75.75 0 0 1 .75.75v7.5a.75.75 0 0 1-1.5 0v-7.5a.75.75 0 0 1 .75-.75Zm-8.25.75a.75.75 0 0 1 1.5 0v5.5a.75.75 0 0 1-1.5 0ZM8 3a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 3Z"></path> </svg> </template> <template id="pencil-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-pencil"> <path d="M11.013 1.427a1.75 1.75 0 0 1 2.474 0l1.086 1.086a1.75 1.75 0 0 1 0 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 0 1-.927-.928l.929-3.25c.081-.286.235-.547.445-.758l8.61-8.61Zm.176 4.823L9.75 4.81l-6.286 6.287a.253.253 0 0 0-.064.108l-.558 1.953 1.953-.558a.253.253 0 0 0 .108-.064Zm1.238-3.763a.25.25 0 0 0-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 0 0 0-.354Z"></path> </svg> </template> <template id="copilot-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copilot"> <path d="M7.998 15.035c-4.562 0-7.873-2.914-7.998-3.749V9.338c.085-.628.677-1.686 1.588-2.065.013-.07.024-.143.036-.218.029-.183.06-.384.126-.612-.201-.508-.254-1.084-.254-1.656 0-.87.128-1.769.693-2.484.579-.733 1.494-1.124 2.724-1.261 1.206-.134 2.262.034 2.944.765.05.053.096.108.139.165.044-.057.094-.112.143-.165.682-.731 1.738-.899 2.944-.765 1.23.137 2.145.528 2.724 1.261.566.715.693 1.614.693 2.484 0 .572-.053 1.148-.254 1.656.066.228.098.429.126.612.012.076.024.148.037.218.924.385 1.522 1.471 1.591 2.095v1.872c0 .766-3.351 3.795-8.002 3.795Zm0-1.485c2.28 0 4.584-1.11 5.002-1.433V7.862l-.023-.116c-.49.21-1.075.291-1.727.291-1.146 0-2.059-.327-2.71-.991A3.222 3.222 0 0 1 8 6.303a3.24 3.24 0 0 1-.544.743c-.65.664-1.563.991-2.71.991-.652 0-1.236-.081-1.727-.291l-.023.116v4.255c.419.323 2.722 1.433 5.002 1.433ZM6.762 2.83c-.193-.206-.637-.413-1.682-.297-1.019.113-1.479.404-1.713.7-.247.312-.369.789-.369 1.554 0 .793.129 1.171.308 1.371.162.181.519.379 1.442.379.853 0 1.339-.235 1.638-.54.315-.322.527-.827.617-1.553.117-.935-.037-1.395-.241-1.614Zm4.155-.297c-1.044-.116-1.488.091-1.681.297-.204.219-.359.679-.242 1.614.091.726.303 1.231.618 1.553.299.305.784.54 1.638.54.922 0 1.28-.198 1.442-.379.179-.2.308-.578.308-1.371 0-.765-.123-1.242-.37-1.554-.233-.296-.693-.587-1.713-.7Z"></path><path d="M6.25 9.037a.75.75 0 0 1 .75.75v1.501a.75.75 0 0 1-1.5 0V9.787a.75.75 0 0 1 .75-.75Zm4.25.75v1.501a.75.75 0 0 1-1.5 0V9.787a.75.75 0 0 1 1.5 0Z"></path> </svg> </template> <template id="copilot-error-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copilot-error"> <path d="M16 11.24c0 .112-.072.274-.21.467L13 9.688V7.862l-.023-.116c-.49.21-1.075.291-1.727.291-.198 0-.388-.009-.571-.029L6.833 5.226a4.01 4.01 0 0 0 .17-.782c.117-.935-.037-1.395-.241-1.614-.193-.206-.637-.413-1.682-.297-.683.076-1.115.231-1.395.415l-1.257-.91c.579-.564 1.413-.877 2.485-.996 1.206-.134 2.262.034 2.944.765.05.053.096.108.139.165.044-.057.094-.112.143-.165.682-.731 1.738-.899 2.944-.765 1.23.137 2.145.528 2.724 1.261.566.715.693 1.614.693 2.484 0 .572-.053 1.148-.254 1.656.066.228.098.429.126.612.012.076.024.148.037.218.924.385 1.522 1.471 1.591 2.095Zm-5.083-8.707c-1.044-.116-1.488.091-1.681.297-.204.219-.359.679-.242 1.614.091.726.303 1.231.618 1.553.299.305.784.54 1.638.54.922 0 1.28-.198 1.442-.379.179-.2.308-.578.308-1.371 0-.765-.123-1.242-.37-1.554-.233-.296-.693-.587-1.713-.7Zm2.511 11.074c-1.393.776-3.272 1.428-5.43 1.428-4.562 0-7.873-2.914-7.998-3.749V9.338c.085-.628.677-1.686 1.588-2.065.013-.07.024-.143.036-.218.029-.183.06-.384.126-.612-.18-.455-.241-.963-.252-1.475L.31 4.107A.747.747 0 0 1 0 3.509V3.49a.748.748 0 0 1 .625-.73c.156-.026.306.047.435.139l14.667 10.578a.592.592 0 0 1 .227.264.752.752 0 0 1 .046.249v.022a.75.75 0 0 1-1.19.596Zm-1.367-.991L5.635 7.964a5.128 5.128 0 0 1-.889.073c-.652 0-1.236-.081-1.727-.291l-.023.116v4.255c.419.323 2.722 1.433 5.002 1.433 1.539 0 3.089-.505 4.063-.934Z"></path> </svg> </template> <template id="workflow-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-workflow"> <path d="M0 1.75C0 .784.784 0 1.75 0h3.5C6.216 0 7 .784 7 1.75v3.5A1.75 1.75 0 0 1 5.25 7H4v4a1 1 0 0 0 1 1h4v-1.25C9 9.784 9.784 9 10.75 9h3.5c.966 0 1.75.784 1.75 1.75v3.5A1.75 1.75 0 0 1 14.25 16h-3.5A1.75 1.75 0 0 1 9 14.25v-.75H5A2.5 2.5 0 0 1 2.5 11V7h-.75A1.75 1.75 0 0 1 0 5.25Zm1.75-.25a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h3.5a.25.25 0 0 0 .25-.25v-3.5a.25.25 0 0 0-.25-.25Zm9 9a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h3.5a.25.25 0 0 0 .25-.25v-3.5a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="book-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-book"> <path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path> </svg> </template> <template id="code-review-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code-review"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v8.5A1.75 1.75 0 0 1 14.25 13H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 14.543V13H1.75A1.75 1.75 0 0 1 0 11.25v-8.5C0 1.784.784 1 1.75 1ZM1.5 2.75v8.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-8.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Zm5.28 1.72a.75.75 0 0 1 0 1.06L5.31 7l1.47 1.47a.751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018l-2-2a.75.75 0 0 1 0-1.06l2-2a.75.75 0 0 1 1.06 0Zm2.44 0a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L10.69 7 9.22 5.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </template> <template id="codespaces-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-codespaces"> <path d="M0 11.25c0-.966.784-1.75 1.75-1.75h12.5c.966 0 1.75.784 1.75 1.75v3A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25Zm2-9.5C2 .784 2.784 0 3.75 0h8.5C13.216 0 14 .784 14 1.75v5a1.75 1.75 0 0 1-1.75 1.75h-8.5A1.75 1.75 0 0 1 2 6.75Zm1.75-.25a.25.25 0 0 0-.25.25v5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-5a.25.25 0 0 0-.25-.25Zm-2 9.5a.25.25 0 0 0-.25.25v3c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-3a.25.25 0 0 0-.25-.25Z"></path><path d="M7 12.75a.75.75 0 0 1 .75-.75h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1-.75-.75Zm-4 0a.75.75 0 0 1 .75-.75h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1-.75-.75Z"></path> </svg> </template> <template id="comment-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment"> <path d="M1 2.75C1 1.784 1.784 1 2.75 1h10.5c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 13.25 12H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 13.543V12H2.75A1.75 1.75 0 0 1 1 10.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="comment-discussion-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment-discussion"> <path d="M1.75 1h8.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 10.25 10H7.061l-2.574 2.573A1.458 1.458 0 0 1 2 11.543V10h-.25A1.75 1.75 0 0 1 0 8.25v-5.5C0 1.784.784 1 1.75 1ZM1.5 2.75v5.5c0 .138.112.25.25.25h1a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h3.5a.25.25 0 0 0 .25-.25v-5.5a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13 2a.25.25 0 0 0-.25-.25h-.5a.75.75 0 0 1 0-1.5h.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 14.25 12H14v1.543a1.458 1.458 0 0 1-2.487 1.03L9.22 12.28a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l2.22 2.22v-2.19a.75.75 0 0 1 .75-.75h1a.25.25 0 0 0 .25-.25Z"></path> </svg> </template> <template id="organization-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-organization"> <path d="M1.75 16A1.75 1.75 0 0 1 0 14.25V1.75C0 .784.784 0 1.75 0h8.5C11.216 0 12 .784 12 1.75v12.5c0 .085-.006.168-.018.25h2.268a.25.25 0 0 0 .25-.25V8.285a.25.25 0 0 0-.111-.208l-1.055-.703a.749.749 0 1 1 .832-1.248l1.055.703c.487.325.779.871.779 1.456v5.965A1.75 1.75 0 0 1 14.25 16h-3.5a.766.766 0 0 1-.197-.026c-.099.017-.2.026-.303.026h-3a.75.75 0 0 1-.75-.75V14h-1v1.25a.75.75 0 0 1-.75.75Zm-.25-1.75c0 .138.112.25.25.25H4v-1.25a.75.75 0 0 1 .75-.75h2.5a.75.75 0 0 1 .75.75v1.25h2.25a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25ZM3.75 6h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5ZM3 3.75A.75.75 0 0 1 3.75 3h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 3.75Zm4 3A.75.75 0 0 1 7.75 6h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 7 6.75ZM7.75 3h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5ZM3 9.75A.75.75 0 0 1 3.75 9h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 9.75ZM7.75 9h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5Z"></path> </svg> </template> <template id="rocket-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-rocket"> <path d="M14.064 0h.186C15.216 0 16 .784 16 1.75v.186a8.752 8.752 0 0 1-2.564 6.186l-.458.459c-.314.314-.641.616-.979.904v3.207c0 .608-.315 1.172-.833 1.49l-2.774 1.707a.749.749 0 0 1-1.11-.418l-.954-3.102a1.214 1.214 0 0 1-.145-.125L3.754 9.816a1.218 1.218 0 0 1-.124-.145L.528 8.717a.749.749 0 0 1-.418-1.11l1.71-2.774A1.748 1.748 0 0 1 3.31 4h3.204c.288-.338.59-.665.904-.979l.459-.458A8.749 8.749 0 0 1 14.064 0ZM8.938 3.623h-.002l-.458.458c-.76.76-1.437 1.598-2.02 2.5l-1.5 2.317 2.143 2.143 2.317-1.5c.902-.583 1.74-1.26 2.499-2.02l.459-.458a7.25 7.25 0 0 0 2.123-5.127V1.75a.25.25 0 0 0-.25-.25h-.186a7.249 7.249 0 0 0-5.125 2.123ZM3.56 14.56c-.732.732-2.334 1.045-3.005 1.148a.234.234 0 0 1-.201-.064.234.234 0 0 1-.064-.201c.103-.671.416-2.273 1.15-3.003a1.502 1.502 0 1 1 2.12 2.12Zm6.94-3.935c-.088.06-.177.118-.266.175l-2.35 1.521.548 1.783 1.949-1.2a.25.25 0 0 0 .119-.213ZM3.678 8.116 5.2 5.766c.058-.09.117-.178.176-.266H3.309a.25.25 0 0 0-.213.119l-1.2 1.95ZM12 5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> </template> <template id="shield-check-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield-check"> <path d="m8.533.133 5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667l5.25-1.68a1.748 1.748 0 0 1 1.066 0Zm-.61 1.429.001.001-5.25 1.68a.251.251 0 0 0-.174.237V7c0 1.36.275 2.666 1.057 3.859.784 1.194 2.121 2.342 4.366 3.298a.196.196 0 0 0 .154 0c2.245-.957 3.582-2.103 4.366-3.297C13.225 9.666 13.5 8.358 13.5 7V3.48a.25.25 0 0 0-.174-.238l-5.25-1.68a.25.25 0 0 0-.153 0ZM11.28 6.28l-3.5 3.5a.75.75 0 0 1-1.06 0l-1.5-1.5a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l.97.97 2.97-2.97a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </template> <template id="heart-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-heart"> <path d="m8 14.25.345.666a.75.75 0 0 1-.69 0l-.008-.004-.018-.01a7.152 7.152 0 0 1-.31-.17 22.055 22.055 0 0 1-3.434-2.414C2.045 10.731 0 8.35 0 5.5 0 2.836 2.086 1 4.25 1 5.797 1 7.153 1.802 8 3.02 8.847 1.802 10.203 1 11.75 1 13.914 1 16 2.836 16 5.5c0 2.85-2.045 5.231-3.885 6.818a22.066 22.066 0 0 1-3.744 2.584l-.018.01-.006.003h-.002ZM4.25 2.5c-1.336 0-2.75 1.164-2.75 3 0 2.15 1.58 4.144 3.365 5.682A20.58 20.58 0 0 0 8 13.393a20.58 20.58 0 0 0 3.135-2.211C12.92 9.644 14.5 7.65 14.5 5.5c0-1.836-1.414-3-2.75-3-1.373 0-2.609.986-3.029 2.456a.749.749 0 0 1-1.442 0C6.859 3.486 5.623 2.5 4.25 2.5Z"></path> </svg> </template> <template id="server-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-server"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v4c0 .372-.116.717-.314 1 .198.283.314.628.314 1v4a1.75 1.75 0 0 1-1.75 1.75H1.75A1.75 1.75 0 0 1 0 12.75v-4c0-.358.109-.707.314-1a1.739 1.739 0 0 1-.314-1v-4C0 1.784.784 1 1.75 1ZM1.5 2.75v4c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Zm.25 5.75a.25.25 0 0 0-.25.25v4c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25ZM7 4.75A.75.75 0 0 1 7.75 4h4.5a.75.75 0 0 1 0 1.5h-4.5A.75.75 0 0 1 7 4.75ZM7.75 10h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1 0-1.5ZM3 4.75A.75.75 0 0 1 3.75 4h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 4.75ZM3.75 10h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5Z"></path> </svg> </template> <template id="globe-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-globe"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM5.78 8.75a9.64 9.64 0 0 0 1.363 4.177c.255.426.542.832.857 1.215.245-.296.551-.705.857-1.215A9.64 9.64 0 0 0 10.22 8.75Zm4.44-1.5a9.64 9.64 0 0 0-1.363-4.177c-.307-.51-.612-.919-.857-1.215a9.927 9.927 0 0 0-.857 1.215A9.64 9.64 0 0 0 5.78 7.25Zm-5.944 1.5H1.543a6.507 6.507 0 0 0 4.666 5.5c-.123-.181-.24-.365-.352-.552-.715-1.192-1.437-2.874-1.581-4.948Zm-2.733-1.5h2.733c.144-2.074.866-3.756 1.58-4.948.12-.197.237-.381.353-.552a6.507 6.507 0 0 0-4.666 5.5Zm10.181 1.5c-.144 2.074-.866 3.756-1.58 4.948-.12.197-.237.381-.353.552a6.507 6.507 0 0 0 4.666-5.5Zm2.733-1.5a6.507 6.507 0 0 0-4.666-5.5c.123.181.24.365.353.552.714 1.192 1.436 2.874 1.58 4.948Z"></path> </svg> </template> <template id="issue-opened-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> </template> <template id="device-mobile-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-device-mobile"> <path d="M3.75 0h8.5C13.216 0 14 .784 14 1.75v12.5A1.75 1.75 0 0 1 12.25 16h-8.5A1.75 1.75 0 0 1 2 14.25V1.75C2 .784 2.784 0 3.75 0ZM3.5 1.75v12.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25ZM8 13a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path> </svg> </template> <template id="package-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-package"> <path d="m8.878.392 5.25 3.045c.54.314.872.89.872 1.514v6.098a1.75 1.75 0 0 1-.872 1.514l-5.25 3.045a1.75 1.75 0 0 1-1.756 0l-5.25-3.045A1.75 1.75 0 0 1 1 11.049V4.951c0-.624.332-1.201.872-1.514L7.122.392a1.75 1.75 0 0 1 1.756 0ZM7.875 1.69l-4.63 2.685L8 7.133l4.755-2.758-4.63-2.685a.248.248 0 0 0-.25 0ZM2.5 5.677v5.372c0 .09.047.171.125.216l4.625 2.683V8.432Zm6.25 8.271 4.625-2.683a.25.25 0 0 0 .125-.216V5.677L8.75 8.432Z"></path> </svg> </template> <template id="credit-card-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-credit-card"> <path d="M10.75 9a.75.75 0 0 0 0 1.5h1.5a.75.75 0 0 0 0-1.5h-1.5Z"></path><path d="M0 3.75C0 2.784.784 2 1.75 2h12.5c.966 0 1.75.784 1.75 1.75v8.5A1.75 1.75 0 0 1 14.25 14H1.75A1.75 1.75 0 0 1 0 12.25ZM14.5 6.5h-13v5.75c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25Zm0-2.75a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25V5h13Z"></path> </svg> </template> <template id="play-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> </template> <template id="gift-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-gift"> <path d="M2 2.75A2.75 2.75 0 0 1 4.75 0c.983 0 1.873.42 2.57 1.232.268.318.497.668.68 1.042.183-.375.411-.725.68-1.044C9.376.42 10.266 0 11.25 0a2.75 2.75 0 0 1 2.45 4h.55c.966 0 1.75.784 1.75 1.75v2c0 .698-.409 1.301-1 1.582v4.918A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V9.332C.409 9.05 0 8.448 0 7.75v-2C0 4.784.784 4 1.75 4h.55c-.192-.375-.3-.8-.3-1.25ZM7.25 9.5H2.5v4.75c0 .138.112.25.25.25h4.5Zm1.5 0v5h4.5a.25.25 0 0 0 .25-.25V9.5Zm0-4V8h5.5a.25.25 0 0 0 .25-.25v-2a.25.25 0 0 0-.25-.25Zm-7 0a.25.25 0 0 0-.25.25v2c0 .138.112.25.25.25h5.5V5.5h-5.5Zm3-4a1.25 1.25 0 0 0 0 2.5h2.309c-.233-.818-.542-1.401-.878-1.793-.43-.502-.915-.707-1.431-.707ZM8.941 4h2.309a1.25 1.25 0 0 0 0-2.5c-.516 0-1 .205-1.43.707-.337.392-.646.975-.879 1.793Z"></path> </svg> </template> <template id="code-square-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code-square"> <path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25Zm7.47 3.97a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L10.69 8 9.22 6.53a.75.75 0 0 1 0-1.06ZM6.78 6.53 5.31 8l1.47 1.47a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215l-2-2a.75.75 0 0 1 0-1.06l2-2a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </template> <template id="device-desktop-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-device-desktop"> <path d="M14.25 1c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 14.25 12h-3.727c.099 1.041.52 1.872 1.292 2.757A.752.752 0 0 1 11.25 16h-6.5a.75.75 0 0 1-.565-1.243c.772-.885 1.192-1.716 1.292-2.757H1.75A1.75 1.75 0 0 1 0 10.25v-7.5C0 1.784.784 1 1.75 1ZM1.75 2.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25ZM9.018 12H6.982a5.72 5.72 0 0 1-.765 2.5h3.566a5.72 5.72 0 0 1-.765-2.5Z"></path> </svg> </template> <div class="position-relative"> <ul role="listbox" class="ActionListWrap QueryBuilder-ListWrap" aria-label="Suggestions" data-action=" combobox-commit:query-builder#comboboxCommit mousedown:query-builder#resultsMousedown " data-target="query-builder.resultsList" data-persist-list=false id="query-builder-test-results" ></ul> </div> <div class="FormControl-inlineValidation" id="validation-14b41df9-8cd2-4293-9e51-076bd798677b" hidden="hidden"> <span class="FormControl-inlineValidation--visual"> <svg aria-hidden="true" height="12" viewBox="0 0 12 12" version="1.1" width="12" data-view-component="true" class="octicon octicon-alert-fill"> <path d="M4.855.708c.5-.896 1.79-.896 2.29 0l4.675 8.351a1.312 1.312 0 0 1-1.146 1.954H1.33A1.313 1.313 0 0 1 .183 9.058ZM7 7V3H5v4Zm-1 3a1 1 0 1 0 0-2 1 1 0 0 0 0 2Z"></path> </svg> </span> <span></span> </div> </div> <div data-target="query-builder.screenReaderFeedback" aria-live="polite" aria-atomic="true" class="sr-only"></div> </query-builder></form> <div class="d-flex flex-row color-fg-muted px-3 text-small color-bg-default search-feedback-prompt"> <a target="_blank" href="https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax" data-view-component="true" class="Link color-fg-accent text-normal ml-2"> Search syntax tips </a> <div class="d-flex flex-1"></div> </div> </div> </div> </div> </modal-dialog></div> </div> <div data-action="click:qbsearch-input#retract" class="dark-backdrop position-fixed" hidden data-target="qbsearch-input.darkBackdrop"></div> <div class="color-fg-default"> <dialog-helper> <dialog data-target="qbsearch-input.feedbackDialog" data-action="close:qbsearch-input#handleDialogClose cancel:qbsearch-input#handleDialogClose" id="feedback-dialog" aria-modal="true" aria-labelledby="feedback-dialog-title" aria-describedby="feedback-dialog-description" data-view-component="true" class="Overlay Overlay-whenNarrow Overlay--size-medium Overlay--motion-scaleFade Overlay--disableScroll"> <div data-view-component="true" class="Overlay-header"> <div class="Overlay-headerContentWrap"> <div class="Overlay-titleWrap"> <h1 class="Overlay-title " id="feedback-dialog-title"> Provide feedback </h1> </div> <div class="Overlay-actionWrap"> <button data-close-dialog-id="feedback-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </div> </div> </div> <scrollable-region data-labelled-by="feedback-dialog-title"> <div data-view-component="true" class="Overlay-body"> </option></form><form id="code-search-feedback-form" data-turbo="false" action="/search/feedback" accept-charset="UTF-8" method="post"><input type="hidden" data-csrf="true" name="authenticity_token" value="zI78Cr44zeoUmj8br4um2S58Ngr8cdmYBG+0Eb2s4gDaZIkUNu7+YxWxffzMzCZb6lZ11FcEyjm7n7TtrLvjSA==" /> <p>We read every piece of feedback, and take your input very seriously.</p> <textarea name="feedback" class="form-control width-full mb-2" style="height: 120px" id="feedback"></textarea> <input name="include_email" id="include_email" aria-label="Include my email address so I can be contacted" class="form-control mr-2" type="checkbox"> <label for="include_email" style="font-weight: normal">Include my email address so I can be contacted</label> </form></div> </scrollable-region> <div data-view-component="true" class="Overlay-footer Overlay-footer--alignEnd"> <button data-close-dialog-id="feedback-dialog" type="button" data-view-component="true" class="btn"> Cancel </button> <button form="code-search-feedback-form" data-action="click:qbsearch-input#submitFeedback" type="submit" data-view-component="true" class="btn-primary btn"> Submit feedback </button> </div> </dialog></dialog-helper> <custom-scopes data-target="qbsearch-input.customScopesManager"> <dialog-helper> <dialog data-target="custom-scopes.customScopesModalDialog" data-action="close:qbsearch-input#handleDialogClose cancel:qbsearch-input#handleDialogClose" id="custom-scopes-dialog" aria-modal="true" aria-labelledby="custom-scopes-dialog-title" aria-describedby="custom-scopes-dialog-description" data-view-component="true" class="Overlay Overlay-whenNarrow Overlay--size-medium Overlay--motion-scaleFade Overlay--disableScroll"> <div data-view-component="true" class="Overlay-header Overlay-header--divided"> <div class="Overlay-headerContentWrap"> <div class="Overlay-titleWrap"> <h1 class="Overlay-title " id="custom-scopes-dialog-title"> Saved searches </h1> <h2 id="custom-scopes-dialog-description" class="Overlay-description">Use saved searches to filter your results more quickly</h2> </div> <div class="Overlay-actionWrap"> <button data-close-dialog-id="custom-scopes-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </div> </div> </div> <scrollable-region data-labelled-by="custom-scopes-dialog-title"> <div data-view-component="true" class="Overlay-body"> <div data-target="custom-scopes.customScopesModalDialogFlash"></div> <div hidden class="create-custom-scope-form" data-target="custom-scopes.createCustomScopeForm"> </option></form><form id="custom-scopes-dialog-form" data-turbo="false" action="/search/custom_scopes" accept-charset="UTF-8" method="post"><input type="hidden" data-csrf="true" name="authenticity_token" value="IfhLArkjIGUjyghyzMOJm0pism35jOvhivpY2jgKVSjx7JR42/VX+3sd1mMlaY9PXgtj5CLpxjLQ6pwTCIuiUA==" /> <div data-target="custom-scopes.customScopesModalDialogFlash"></div> <input type="hidden" id="custom_scope_id" name="custom_scope_id" data-target="custom-scopes.customScopesIdField"> <div class="form-group"> <label for="custom_scope_name">Name</label> <auto-check src="/search/custom_scopes/check_name" required> <input type="text" name="custom_scope_name" id="custom_scope_name" data-target="custom-scopes.customScopesNameField" class="form-control" autocomplete="off" placeholder="github-ruby" required maxlength="50"> <input type="hidden" data-csrf="true" value="ZRn/ut/17jSCrcmsjNFjaFfTN5Mc+k+U3AMogAddnlMkJunSN2R9nv2PwDn/QkK2jkJfaVvzMVoUzu5GU79E6A==" /> </auto-check> </div> <div class="form-group"> <label for="custom_scope_query">Query</label> <input type="text" name="custom_scope_query" id="custom_scope_query" data-target="custom-scopes.customScopesQueryField" class="form-control" autocomplete="off" placeholder="(repo:mona/a OR repo:mona/b) AND lang:python" required maxlength="500"> </div> <p class="text-small color-fg-muted"> To see all available qualifiers, see our <a class="Link--inTextBlock" href="https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax">documentation</a>. </p> </form> </div> <div data-target="custom-scopes.manageCustomScopesForm"> <div data-target="custom-scopes.list"></div> </div> </div> </scrollable-region> <div data-view-component="true" class="Overlay-footer Overlay-footer--alignEnd Overlay-footer--divided"> <button data-action="click:custom-scopes#customScopesCancel" type="button" data-view-component="true" class="btn"> Cancel </button> <button form="custom-scopes-dialog-form" data-action="click:custom-scopes#customScopesSubmit" data-target="custom-scopes.customScopesSubmitButton" type="submit" data-view-component="true" class="btn-primary btn"> Create saved search </button> </div> </dialog></dialog-helper> </custom-scopes> </div> </qbsearch-input> <div class="position-relative HeaderMenu-link-wrap d-lg-inline-block"> <a href="/login?return_to=https%3A%2F%2Fgithub.com%2Fjquery%2Fjquery%2Fissues%2F4409" class="HeaderMenu-link HeaderMenu-link--sign-in HeaderMenu-button flex-shrink-0 no-underline d-none d-lg-inline-flex border border-lg-0 rounded rounded-lg-0 px-2 py-1" style="margin-left: 12px;" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="91fe95885fcccbe72a3238c38854f85495467221324bd0e23e049e77c21c48a4" data-analytics-event="{"category":"Marketing nav","action":"click to go to homepage","label":"ref_page:Marketing;ref_cta:Sign in;ref_loc:Header"}" > Sign in </a> </div> <a href="/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=jquery%2Fjquery" class="HeaderMenu-link HeaderMenu-link--sign-up HeaderMenu-button flex-shrink-0 d-flex d-lg-inline-flex no-underline border color-border-default rounded px-2 py-1" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="91fe95885fcccbe72a3238c38854f85495467221324bd0e23e049e77c21c48a4" data-analytics-event="{"category":"Sign up","action":"click to sign up for account","label":"ref_page:/<user-name>/<repo-name>/voltron/issues_fragments/issue_layout;ref_cta:Sign up;ref_loc:header logged out"}" > Sign up </a> <button type="button" class="sr-only js-header-menu-focus-trap d-block d-lg-none">Reseting focus</button> </div> </div> </div> </div> </header> <div hidden="hidden" data-view-component="true" class="js-stale-session-flash stale-session-flash flash flash-warn flash-full"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <span class="js-stale-session-flash-signed-in" hidden>You signed in with another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <span class="js-stale-session-flash-signed-out" hidden>You signed out in another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <span class="js-stale-session-flash-switched" hidden>You switched accounts on another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <button id="icon-button-97850799-8d06-4b15-ae1d-39f39133eaea" aria-labelledby="tooltip-2e024908-de4a-44c1-a7c1-ab2ea5d9dbb3" type="button" data-view-component="true" class="Button Button--iconOnly Button--invisible Button--medium flash-close js-flash-close"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x Button-visual"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button><tool-tip id="tooltip-2e024908-de4a-44c1-a7c1-ab2ea5d9dbb3" for="icon-button-97850799-8d06-4b15-ae1d-39f39133eaea" popover="manual" data-direction="s" data-type="label" data-view-component="true" class="sr-only position-absolute">Dismiss alert</tool-tip> </div> </div> <div id="start-of-content" class="show-on-focus"></div> <div id="js-flash-container" class="flash-container" data-turbo-replace> <template class="js-flash-template"> <div class="flash flash-full {{ className }}"> <div > <button autofocus class="flash-close js-flash-close" type="button" aria-label="Dismiss this message"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div aria-atomic="true" role="alert" class="js-flash-alert"> <div>{{ message }}</div> </div> </div> </div> </template> </div> <div class="application-main " data-commit-hovercards-enabled data-discussion-hovercards-enabled data-issue-and-pr-hovercards-enabled > <div itemscope itemtype="http://schema.org/SoftwareSourceCode" class=""> <main id="js-repo-pjax-container" > <div id="repository-container-header" class="pt-3 hide-full-screen" style="background-color: var(--page-header-bgColor, var(--color-page-header-bg));" data-turbo-replace> <div class="d-flex flex-nowrap flex-justify-end mb-3 px-3 px-lg-5" style="gap: 1rem;"> <div class="flex-auto min-width-0 width-fit"> <div class=" d-flex flex-wrap flex-items-center wb-break-word f3 text-normal"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo color-fg-muted mr-2"> <path d="M2 2.5A2.5 2.5 0 0 1 4.5 0h8.75a.75.75 0 0 1 .75.75v12.5a.75.75 0 0 1-.75.75h-2.5a.75.75 0 0 1 0-1.5h1.75v-2h-8a1 1 0 0 0-.714 1.7.75.75 0 1 1-1.072 1.05A2.495 2.495 0 0 1 2 11.5Zm10.5-1h-8a1 1 0 0 0-1 1v6.708A2.486 2.486 0 0 1 4.5 9h8ZM5 12.25a.25.25 0 0 1 .25-.25h3.5a.25.25 0 0 1 .25.25v3.25a.25.25 0 0 1-.4.2l-1.45-1.087a.249.249 0 0 0-.3 0L5.4 15.7a.25.25 0 0 1-.4-.2Z"></path> </svg> <span class="author flex-self-stretch" itemprop="author"> <a class="url fn" rel="author" data-hovercard-type="organization" data-hovercard-url="/orgs/jquery/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/jquery"> jquery </a> </span> <span class="mx-1 flex-self-stretch color-fg-muted">/</span> <strong itemprop="name" class="mr-2 flex-self-stretch"> <a data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" href="/jquery/jquery">jquery</a> </strong> <span></span><span class="Label Label--secondary v-align-middle mr-1">Public</span> </div> </div> <div id="repository-details-container" class="flex-shrink-0" data-turbo-replace style="max-width: 70%;"> <ul class="pagehead-actions flex-shrink-0 d-none d-md-inline" style="padding: 2px 0;"> <li> <a href="/login?return_to=%2Fjquery%2Fjquery" rel="nofollow" id="repository-details-watch-button" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"notification subscription menu watch","repository_id":null,"auth_type":"LOG_IN","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="da2d5e5c708c1a7876aa9a8897aaa084ed48113ae01e1600da92d26c104ce988" aria-label="You must be signed in to change notification settings" data-view-component="true" class="btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bell mr-2"> <path d="M8 16a2 2 0 0 0 1.985-1.75c.017-.137-.097-.25-.235-.25h-3.5c-.138 0-.252.113-.235.25A2 2 0 0 0 8 16ZM3 5a5 5 0 0 1 10 0v2.947c0 .05.015.098.042.139l1.703 2.555A1.519 1.519 0 0 1 13.482 13H2.518a1.516 1.516 0 0 1-1.263-2.36l1.703-2.554A.255.255 0 0 0 3 7.947Zm5-3.5A3.5 3.5 0 0 0 4.5 5v2.947c0 .346-.102.683-.294.97l-1.703 2.556a.017.017 0 0 0-.003.01l.001.006c0 .002.002.004.004.006l.006.004.007.001h10.964l.007-.001.006-.004.004-.006.001-.007a.017.017 0 0 0-.003-.01l-1.703-2.554a1.745 1.745 0 0 1-.294-.97V5A3.5 3.5 0 0 0 8 1.5Z"></path> </svg>Notifications </a> <tool-tip id="tooltip-74092f10-5a42-45e3-a217-82b6a04a06f5" for="repository-details-watch-button" popover="manual" data-direction="s" data-type="description" data-view-component="true" class="sr-only position-absolute">You must be signed in to change notification settings</tool-tip> </li> <li> <a icon="repo-forked" id="fork-button" href="/login?return_to=%2Fjquery%2Fjquery" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"repo details fork button","repository_id":167174,"auth_type":"LOG_IN","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="ff5e474c70c3cc77720ee03f6ef96561b4c6acd4e746c3368428de42fb54a9c6" data-view-component="true" class="btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo-forked mr-2"> <path d="M5 5.372v.878c0 .414.336.75.75.75h4.5a.75.75 0 0 0 .75-.75v-.878a2.25 2.25 0 1 1 1.5 0v.878a2.25 2.25 0 0 1-2.25 2.25h-1.5v2.128a2.251 2.251 0 1 1-1.5 0V8.5h-1.5A2.25 2.25 0 0 1 3.5 6.25v-.878a2.25 2.25 0 1 1 1.5 0ZM5 3.25a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Zm6.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm-3 8.75a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Z"></path> </svg>Fork <span id="repo-network-counter" data-pjax-replace="true" data-turbo-replace="true" title="20,579" data-view-component="true" class="Counter">20.6k</span> </a> </li> <li> <div data-view-component="true" class="BtnGroup d-flex"> <a href="/login?return_to=%2Fjquery%2Fjquery" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"star button","repository_id":167174,"auth_type":"LOG_IN","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="0f630d97fae2c729a63778bcb4bcd3cab17443737e85f28781f3b3da3b369ffd" aria-label="You must be signed in to star a repository" data-view-component="true" class="tooltipped tooltipped-sw btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-star v-align-text-bottom d-inline-block mr-2"> <path d="M8 .25a.75.75 0 0 1 .673.418l1.882 3.815 4.21.612a.75.75 0 0 1 .416 1.279l-3.046 2.97.719 4.192a.751.751 0 0 1-1.088.791L8 12.347l-3.766 1.98a.75.75 0 0 1-1.088-.79l.72-4.194L.818 6.374a.75.75 0 0 1 .416-1.28l4.21-.611L7.327.668A.75.75 0 0 1 8 .25Zm0 2.445L6.615 5.5a.75.75 0 0 1-.564.41l-3.097.45 2.24 2.184a.75.75 0 0 1 .216.664l-.528 3.084 2.769-1.456a.75.75 0 0 1 .698 0l2.77 1.456-.53-3.084a.75.75 0 0 1 .216-.664l2.24-2.183-3.096-.45a.75.75 0 0 1-.564-.41L8 2.694Z"></path> </svg><span data-view-component="true" class="d-inline"> Star </span> <span id="repo-stars-counter-star" aria-label="59252 users starred this repository" data-singular-suffix="user starred this repository" data-plural-suffix="users starred this repository" data-turbo-replace="true" title="59,252" data-view-component="true" class="Counter js-social-count">59.3k</span> </a></div> </li> </ul> </div> </div> <div id="responsive-meta-container" data-turbo-replace> </div> <nav data-pjax="#js-repo-pjax-container" aria-label="Repository" data-view-component="true" class="js-repo-nav js-sidenav-container-pjax js-responsive-underlinenav overflow-hidden UnderlineNav px-3 px-md-4 px-lg-5"> <ul data-view-component="true" class="UnderlineNav-body list-style-none"> <li data-view-component="true" class="d-inline-flex"> <a id="code-tab" href="/jquery/jquery" data-tab-item="i0code-tab" data-selected-links="repo_source repo_downloads repo_commits repo_releases repo_tags repo_branches repo_packages repo_deployments repo_attestations /jquery/jquery" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g c" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Code","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code UnderlineNav-octicon d-none d-sm-inline"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> <span data-content="Code">Code</span> <span id="code-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="issues-tab" href="/jquery/jquery/issues" data-tab-item="i1issues-tab" data-selected-links="repo_issues repo_labels repo_milestones /jquery/jquery/issues" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g i" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Issues","target":"UNDERLINE_NAV.TAB"}" aria-current="page" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item selected"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened UnderlineNav-octicon d-none d-sm-inline"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> <span data-content="Issues">Issues</span> <span id="issues-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="76" data-view-component="true" class="Counter">76</span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="pull-requests-tab" href="/jquery/jquery/pulls" data-tab-item="i2pull-requests-tab" data-selected-links="repo_pulls checks /jquery/jquery/pulls" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g p" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Pull requests","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-pull-request UnderlineNav-octicon d-none d-sm-inline"> <path d="M1.5 3.25a2.25 2.25 0 1 1 3 2.122v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.25 2.25 0 0 1 1.5 3.25Zm5.677-.177L9.573.677A.25.25 0 0 1 10 .854V2.5h1A2.5 2.5 0 0 1 13.5 5v5.628a2.251 2.251 0 1 1-1.5 0V5a1 1 0 0 0-1-1h-1v1.646a.25.25 0 0 1-.427.177L7.177 3.427a.25.25 0 0 1 0-.354ZM3.75 2.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm0 9.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm8.25.75a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Z"></path> </svg> <span data-content="Pull requests">Pull requests</span> <span id="pull-requests-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="15" data-view-component="true" class="Counter">15</span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="discussions-tab" href="/jquery/jquery/discussions" data-tab-item="i3discussions-tab" data-selected-links="repo_discussions /jquery/jquery/discussions" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g g" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Discussions","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment-discussion UnderlineNav-octicon d-none d-sm-inline"> <path d="M1.75 1h8.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 10.25 10H7.061l-2.574 2.573A1.458 1.458 0 0 1 2 11.543V10h-.25A1.75 1.75 0 0 1 0 8.25v-5.5C0 1.784.784 1 1.75 1ZM1.5 2.75v5.5c0 .138.112.25.25.25h1a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h3.5a.25.25 0 0 0 .25-.25v-5.5a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13 2a.25.25 0 0 0-.25-.25h-.5a.75.75 0 0 1 0-1.5h.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 14.25 12H14v1.543a1.458 1.458 0 0 1-2.487 1.03L9.22 12.28a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l2.22 2.22v-2.19a.75.75 0 0 1 .75-.75h1a.25.25 0 0 0 .25-.25Z"></path> </svg> <span data-content="Discussions">Discussions</span> <span id="discussions-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="actions-tab" href="/jquery/jquery/actions" data-tab-item="i4actions-tab" data-selected-links="repo_actions /jquery/jquery/actions" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g a" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Actions","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play UnderlineNav-octicon d-none d-sm-inline"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> <span data-content="Actions">Actions</span> <span id="actions-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="wiki-tab" href="/jquery/jquery/wiki" data-tab-item="i5wiki-tab" data-selected-links="repo_wiki /jquery/jquery/wiki" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g w" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Wiki","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-book UnderlineNav-octicon d-none d-sm-inline"> <path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path> </svg> <span data-content="Wiki">Wiki</span> <span id="wiki-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="security-tab" href="/jquery/jquery/security" data-tab-item="i6security-tab" data-selected-links="security overview alerts policy token_scanning code_scanning /jquery/jquery/security" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g s" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Security","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield UnderlineNav-octicon d-none d-sm-inline"> <path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <span data-content="Security">Security</span> <include-fragment src="/jquery/jquery/security/overall-count" accept="text/fragment+html"></include-fragment> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="insights-tab" href="/jquery/jquery/pulse" data-tab-item="i7insights-tab" data-selected-links="repo_graphs repo_contributors dependency_graph dependabot_updates pulse people community /jquery/jquery/pulse" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Insights","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-graph UnderlineNav-octicon d-none d-sm-inline"> <path d="M1.5 1.75V13.5h13.75a.75.75 0 0 1 0 1.5H.75a.75.75 0 0 1-.75-.75V1.75a.75.75 0 0 1 1.5 0Zm14.28 2.53-5.25 5.25a.75.75 0 0 1-1.06 0L7 7.06 4.28 9.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.25-3.25a.75.75 0 0 1 1.06 0L10 7.94l4.72-4.72a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> <span data-content="Insights">Insights</span> <span id="insights-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> </ul> <div style="visibility:hidden;" data-view-component="true" class="UnderlineNav-actions js-responsive-underlinenav-overflow position-absolute pr-3 pr-md-4 pr-lg-5 right-0"> <action-menu data-select-variant="none" data-view-component="true"> <focus-group direction="vertical" mnemonics retain> <button id="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-button" popovertarget="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-overlay" aria-controls="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-list" aria-haspopup="true" aria-labelledby="tooltip-c3bf0a03-8ec9-48ce-9137-29aab395d82b" type="button" data-view-component="true" class="Button Button--iconOnly Button--secondary Button--medium UnderlineNav-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal Button-visual"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg> </button><tool-tip id="tooltip-c3bf0a03-8ec9-48ce-9137-29aab395d82b" for="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-button" popover="manual" data-direction="s" data-type="label" data-view-component="true" class="sr-only position-absolute">Additional navigation options</tool-tip> <anchored-position id="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-overlay" anchor="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-button" align="start" side="outside-bottom" anchor-offset="normal" popover="auto" data-view-component="true"> <div data-view-component="true" class="Overlay Overlay--size-auto"> <div data-view-component="true" class="Overlay-body Overlay-body--paddingNone"> <action-list> <div data-view-component="true"> <ul aria-labelledby="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-button" id="action-menu-e6771560-7fb7-48cf-96ed-b338afe343b1-list" role="menu" data-view-component="true" class="ActionListWrap--inset ActionListWrap"> <li hidden="hidden" data-menu-item="i0code-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-ecc64010-9f1d-4fc9-ad37-e4554cf5e5ec" href="/jquery/jquery" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Code </span> </a> </li> <li hidden="hidden" data-menu-item="i1issues-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-1a67d1f5-1bc4-413c-b155-cb2471ef6fdc" href="/jquery/jquery/issues" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Issues </span> </a> </li> <li hidden="hidden" data-menu-item="i2pull-requests-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-e106351c-fc03-470a-bef3-c1187a4f5dbb" href="/jquery/jquery/pulls" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-pull-request"> <path d="M1.5 3.25a2.25 2.25 0 1 1 3 2.122v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.25 2.25 0 0 1 1.5 3.25Zm5.677-.177L9.573.677A.25.25 0 0 1 10 .854V2.5h1A2.5 2.5 0 0 1 13.5 5v5.628a2.251 2.251 0 1 1-1.5 0V5a1 1 0 0 0-1-1h-1v1.646a.25.25 0 0 1-.427.177L7.177 3.427a.25.25 0 0 1 0-.354ZM3.75 2.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm0 9.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm8.25.75a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Pull requests </span> </a> </li> <li hidden="hidden" data-menu-item="i3discussions-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-7adc0955-c149-469c-980c-fc9c3b5b0ef5" href="/jquery/jquery/discussions" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment-discussion"> <path d="M1.75 1h8.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 10.25 10H7.061l-2.574 2.573A1.458 1.458 0 0 1 2 11.543V10h-.25A1.75 1.75 0 0 1 0 8.25v-5.5C0 1.784.784 1 1.75 1ZM1.5 2.75v5.5c0 .138.112.25.25.25h1a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h3.5a.25.25 0 0 0 .25-.25v-5.5a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13 2a.25.25 0 0 0-.25-.25h-.5a.75.75 0 0 1 0-1.5h.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 14.25 12H14v1.543a1.458 1.458 0 0 1-2.487 1.03L9.22 12.28a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l2.22 2.22v-2.19a.75.75 0 0 1 .75-.75h1a.25.25 0 0 0 .25-.25Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Discussions </span> </a> </li> <li hidden="hidden" data-menu-item="i4actions-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-41729a56-1867-4e55-b56e-7e7a229ee75f" href="/jquery/jquery/actions" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Actions </span> </a> </li> <li hidden="hidden" data-menu-item="i5wiki-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-3dd62444-5ef6-40e6-9236-0b3e569b6685" href="/jquery/jquery/wiki" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-book"> <path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Wiki </span> </a> </li> <li hidden="hidden" data-menu-item="i6security-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-f786e636-e6dd-41a5-8aac-99bd62f58599" href="/jquery/jquery/security" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield"> <path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Security </span> </a> </li> <li hidden="hidden" data-menu-item="i7insights-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-2406da6b-df03-4869-9a14-e48572461416" href="/jquery/jquery/pulse" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-graph"> <path d="M1.5 1.75V13.5h13.75a.75.75 0 0 1 0 1.5H.75a.75.75 0 0 1-.75-.75V1.75a.75.75 0 0 1 1.5 0Zm14.28 2.53-5.25 5.25a.75.75 0 0 1-1.06 0L7 7.06 4.28 9.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.25-3.25a.75.75 0 0 1 1.06 0L10 7.94l4.72-4.72a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Insights </span> </a> </li> </ul> </div></action-list> </div> </div></anchored-position> </focus-group> </action-menu></div> </nav> </div> <turbo-frame id="repo-content-turbo-frame" target="_top" data-turbo-action="advance" class=""> <div id="repo-content-pjax-container" class="repository-content " > <div class="clearfix new-discussion-timeline js-check-all-container container-xl px-3 px-md-4 px-lg-5 mt-4" data-pjax="" data-turbo-frame=""> <div id="show_issue" class="js-issues-results js-socket-channel js-updatable-content" data-morpheus-enabled="false" data-channel="eyJjIjoiaXNzdWU6NDQ4OTY0NjM4OnRpbWVsaW5lIiwidCI6MTczMjg0MDE2OX0=--c5bf91d1bfc6a442e68d5ec82563f0677b4c0b43450aa4a5f816f606b1065606"> <div id="partial-discussion-header" class="gh-header mb-3 js-details-container Details js-socket-channel js-updatable-content issue" data-channel="eyJjIjoiaXNzdWU6NDQ4OTY0NjM4IiwidCI6MTczMjg0MDE2OX0=--8a452e198aa51c17d49e0a17675d695c39ef062c5017db658688388e89797086" data-url="/jquery/jquery/issues/4409/show_partial?partial=issues%2Ftitle&sticky=true" data-gid="MDU6SXNzdWU0NDg5NjQ2Mzg="> <div class="gh-header-show "> <div class="d-flex flex-column flex-md-row"> <div class="gh-header-actions mt-0 mb-3 mb-md-2 ml-1 flex-md-order-1 flex-shrink-0 d-flex flex-items-center gap-1"> <details class="details-reset details-overlay details-overlay-dark float-right" > <summary class="btn btn-sm btn-primary m-0 ml-0 ml-md-2" > New issue </summary> <details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast overflow-auto" aria-label="Sign up for GitHub"> <button aria-label="Close dialog" data-close-dialog="" type="button" data-view-component="true" class="Link--muted btn-link position-absolute p-4 right-0"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div class="d-flex flex-column p-4"> <div class="mt-3 mb-2 text-center"> <svg height="60" aria-hidden="true" viewBox="0 0 24 24" version="1.1" width="60" data-view-component="true" class="octicon octicon-comment-discussion color-fg-accent"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> </div> <div class="px-4"> <p class="text-center mb-4"> <strong>Have a question about this project?</strong> Sign up for a free GitHub account to open an issue and contact its maintainers and the community. </p> <div class="d-flex flex-items-center"> <a href="/signup?return_to=%2Fjquery%2Fjquery%2Fissues%2Fnew%2Fchoose" data-view-component="true" class="btn-primary btn mx-auto"> Sign up for GitHub </a> </div> <p class="mt-4 color-fg-muted text-center">By clicking “Sign up for GitHub”, you agree to our <a class="Link--inTextBlock" href="https://docs.github.com/terms" target="_blank">terms of service</a> and <a class="Link--inTextBlock" href="https://docs.github.com/privacy" target="_blank">privacy statement</a>. We’ll occasionally send you account related emails.</p> <p class="mt-4 color-fg-muted text-center"> Already on GitHub? <a data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"new issue modal","repository_id":null,"auth_type":"LOG_IN","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="98cdd09586227805656a25dd12c4307228bef6d135938de429fbb9f8a4d05b5d" class="Link--inTextBlock" href="/login?return_to=%2Fjquery%2Fjquery%2Fissues%2Fnew%2Fchoose">Sign in</a> to your account </p> </div> </div> </details-dialog> </details> <div class="flex-auto text-right d-block d-md-none"> <a href="#issue-comment-box" class="py-1">Jump to bottom</a> </div> </div> <h1 class="gh-header-title mb-2 lh-condensed f1 mr-0 flex-auto wb-break-word"> <bdi class="js-issue-title markdown-title">Have Trusted Types API built directly into the jQuery Core Files</bdi> <span class="f1-light color-fg-muted">#4409</span> </h1> </div> </div> <div class="d-flex flex-items-center flex-wrap mt-0 gh-header-meta"> <div class="flex-shrink-0 mb-2 flex-self-start flex-md-self-center"> <span title="Status: Closed" data-view-component="true" class="State State--merged d-flex flex-items-center"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-closed flex-items-center mr-1"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> Closed </span> </div> <div class="mb-2 flex-shrink-0"> <div> </div> </div> <div class="flex-shrink-0 mb-2 flex-self-start flex-md-self-center"> </div> <div class="flex-auto min-width-0 mb-2"> <a class="author text-bold Link--secondary" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost">ghost</a> opened this issue <relative-time datetime="2019-05-27T18:52:00Z" class="no-wrap">May 27, 2019</relative-time> · 24 comments <span data-issue-and-pr-hovercards-enabled> <span><span> · Fixed by <a href="https://github.com/jquery/jquery/pull/4927" data-hydro-click="{"event_type":"issue_cross_references.click","payload":{"reference_location":"ISSUE_HEADER","user_id":null,"issue_id":448964638,"pull_request_id":730924715,"originating_url":"https://github.com/jquery/jquery/issues/4409"}}" data-hydro-click-hmac="1cddebca411ec386fe376c468515e68e61eba6d801dc8a6cc73e8c1d9fd53a49" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard">#4927</a></span><span></span></span> </span> </div> </div> <div class="js-sticky js-sticky-offset-scroll top-0 gh-header-sticky"> <div class="sticky-content"> <div class="d-flex flex-items-center flex-justify-between mt-2"> <div class="d-flex flex-row flex-items-center min-width-0"> <div class="mr-2 mb-2 flex-shrink-0"> <span title="Status: Closed" data-view-component="true" class="State State--merged d-flex flex-items-center"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-closed flex-items-center mr-1"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> Closed </span> </div> <div class="mb-2 flex-shrink-0"> <div> </div> </div> <div class="mb-2 flex-shrink-0"> </div> <div class="min-width-0 mr-2 mb-2"> <h1 class="d-flex text-bold f5"> <a class="js-issue-title css-truncate css-truncate-target Link--primary width-fit markdown-title js-smoothscroll-anchor" href="#top"> Have Trusted Types API built directly into the jQuery Core Files </a> <span class="gh-header-number color-fg-muted pl-1">#4409</span> </h1> <div class="meta color-fg-muted css-truncate css-truncate-target d-block width-fit"> <a class="author text-bold Link--secondary" data-hovercard-z-index-override="111" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost">ghost</a> opened this issue <relative-time datetime="2019-05-27T18:52:00Z" class="no-wrap">May 27, 2019</relative-time> · 24 comments <span data-issue-and-pr-hovercards-enabled> <span><span> · Fixed by <a href="https://github.com/jquery/jquery/pull/4927" data-hydro-click="{"event_type":"issue_cross_references.click","payload":{"reference_location":"ISSUE_HEADER","user_id":null,"issue_id":448964638,"pull_request_id":730924715,"originating_url":"https://github.com/jquery/jquery/issues/4409"}}" data-hydro-click-hmac="1cddebca411ec386fe376c468515e68e61eba6d801dc8a6cc73e8c1d9fd53a49" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard">#4927</a></span><span></span></span> </span> </div> </div> </div> </div> </div> </div> <div class="gh-header-shadow color-shadow-small js-notification-shelf-offset-top"></div> </div> <div class="d-block d-md-none border-bottom mb-4 f6"> <div class="d-flex mb-3"> <span class="text-bold color-fg-muted col-3 col-sm-2 flex-shrink-0">Assignees</span> <div class="min-width-0"> <a class="no-underline" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&v=4" width="20" height="20" alt="@mgol" /> </a> </div> </div> <div class="d-flex mb-3"> <span class="text-bold color-fg-muted col-3 col-sm-2 flex-shrink-0">Labels</span> <div class="min-width-0 d-flex flex-wrap mt-n1"> <a id="label-61f22f" href="/jquery/jquery/labels/Core" data-name="Core" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Core</span> </a> <a id="label-14ac9b" href="/jquery/jquery/labels/Has%20Pull%20Request" data-name="Has Pull Request" style="--label-r:191;--label-g:229;--label-b:191;--label-h:120;--label-s:42;--label-l:82;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Has Pull Request</span> </a> <a id="label-b7f81e" href="/jquery/jquery/labels/Manipulation" data-name="Manipulation" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Manipulation</span> </a> </div> </div> <div class="d-flex mb-3"> <span class="text-bold color-fg-muted col-3 col-sm-2 flex-shrink-0">Milestone</span> <div class="min-width-0"> <a title="4.0.0" href="/jquery/jquery/milestone/7" class="Link--primary text-bold no-underline"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-milestone color-fg-muted"> <path d="M7.75 0a.75.75 0 0 1 .75.75V3h3.634c.414 0 .814.147 1.13.414l2.07 1.75a1.75 1.75 0 0 1 0 2.672l-2.07 1.75a1.75 1.75 0 0 1-1.13.414H8.5v5.25a.75.75 0 0 1-1.5 0V10H2.75A1.75 1.75 0 0 1 1 8.25v-3.5C1 3.784 1.784 3 2.75 3H7V.75A.75.75 0 0 1 7.75 0Zm4.384 8.5a.25.25 0 0 0 .161-.06l2.07-1.75a.248.248 0 0 0 0-.38l-2.07-1.75a.25.25 0 0 0-.161-.06H2.75a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h9.384Z"></path> </svg> <span class="css-truncate css-truncate-target">4.0.0</span> </a> </div> </div> </div> <div id="discussion_bucket"> <div data-view-component="true" class="Layout Layout--flowRow-until-md Layout--sidebarPosition-end Layout--sidebarPosition-flowRow-end"> <div data-view-component="true" class="Layout-main"> <h2 class="sr-only">Comments</h2> <div class="js-quote-selection-container" data-quote-markdown=".js-comment-body" data-discussion-hovercards-enabled data-issue-and-pr-hovercards-enabled data-team-hovercards-enabled> <div class="js-discussion ml-0 pl-0 ml-md-6 pl-md-3" data-hpc > <div class="TimelineItem pt-0 js-comment-container js-socket-channel js-updatable-content " data-gid="MDU6SXNzdWU0NDg5NjQ2Mzg=" data-url="/jquery/jquery/issues/4409/partials/body?issue=4409" data-channel="eyJjIjoiaXNzdWU6NDQ4OTY0NjM4IiwidCI6MTczMjg0MDE3MH0=--ed17b6901cd5423a31dcda1f23ed488c867449ebcc727240252ef0bb2e8cdbab"> <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/10137?s=80&v=4" width="40" height="40" alt="@ghost" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issue-448964638"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="52fbdfb1c27a8471d7fe62f923c0caf27fdd915b9a619c93e28d296da3f2af77"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issue-448964638-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost">ghost</a> </strong> commented <a href="#issue-448964638" id="issue-448964638-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-05-27T18:52:00Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">The latest version of jQuery V3.4.1 has 5 <code class="notranslate">innerHTML()</code> which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Trusted Types API see here: <a href="https://github.com/WICG/trusted-types">https://github.com/WICG/trusted-types</a></p> </td> </tr> <tr class="d-block pl-3 pr-3 pb-3 js-comment-body-error" hidden> <td class="d-block"> <div class="flash flash-warn" role="alert"> <p class="mb-1"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-info"> <path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path> </svg> The text was updated successfully, but these errors were encountered: </p> <ol class="mb-0 pl-4 ml-4"> </ol> </div> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="1RpVHkd-4or4GD4d1xtvdiBzr1PFIc9by986DnNzcBjRXv6wBy6wnnvNjSN4TmTZmCqG4R6rcuZXdrXardZCFg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDU6SXNzdWU0NDg5NjQ2Mzg="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issue-448964638-edit-form" data-turbo="false" action="/jquery/jquery/issues/4409" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="1FeO7p59GClzQyybzABqEUMUU2yCnd7rkK0Q8SkRs82o+sb1r1B9cM4yruftHN2R8s5sip3uyONN/np2Qaowmw==" /></form> </div> </div> </div> <div> <div id="js-timeline-progressive-loader" data-timeline-item-src="jquery/jquery/timeline_focused_item?after_cursor=Y3Vyc29yOnYyOpPPAAABcpUkq-ACqjEwMzcwNjMwNDU%3D&before_cursor=Y3Vyc29yOnYyOpPPAAABe8xRBTgCqjExMzQ1NDczNDc%3D&id=MDU6SXNzdWU0NDg5NjQ2Mzg%3D" ></div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI4ODc2NA=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI4ODc2NA==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDQ5NjI4ODc2NA==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-496288764"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="1c8daa0cffff730bca884ba40819d23536ac38dac1c7e3bb7a2605d23767f75c"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-496288764-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-496288764" id="issuecomment-496288764-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-05-27T19:14:59Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Thanks for the report. What would you expect jQuery to do here?</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="5kwkv7aZ-GwsZTdIuLBqx0OpeDdkXiEaPAfDd3O-kgXiCI8R9smqeK-whHYX5WFo-_BRhb_UnKegrkyjrRugCw" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDQ5NjI4ODc2NA=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-496288764-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/496288764" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="hm7va3JikXxD69XPYfnXfE1G6/9XJ0j7wAPv+XqU9iBqaIF8WbZ9L2rIwtqJhegwtUf40tfQitnxR1IA3qqCkw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/496288764/edit_form?textarea_id=issuecomment-496288764-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOkxhYmVsZWRFdmVudDIzNzAwNDM4MjQ="> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-2370043824"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added the <a id="label-40b891" href="/jquery/jquery/labels/Needs%20info" data-name="Needs info" style="--label-r:0;--label-g:0;--label-b:0;--label-h:0;--label-s:0;--label-l:0;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Needs info </a> label <a href="#event-2370043824" class="Link--secondary"><relative-time datetime="2019-05-27T19:15:03Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI4OTAxOQ=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI4OTAxOQ==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDQ5NjI4OTAxOQ==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-496289019"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="de1977a263d80efcb3398911dde9518bd2143c3d950b95ea2074a3b7c5231b85"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-496289019-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-496289019" id="issuecomment-496289019-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-05-27T19:16:21Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Note, though, that jQuery doesn't support experimental APIs as they may change and then we're left with obsolete code. It's fine to experiment & think of the approaches but we'd wait with landing any actual code in the library for the spec to stabilize & to be implemented in at least 2 major browser engines.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="oFKW4WjA8qGQxbVW8pyXI7AItmeBJrOBUhN5waAVILOkFj1PKJCgtRMQBmhdyZyMCFGf1VqsDjzOuvYVfrASvQ" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDQ5NjI4OTAxOQ=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-496289019-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/496289019" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="5Ei8wHNGcEUsUHdnZOF/6FotccB0ITeTmgovcBZHldT0yVkCP8eg9mAa+ieknnC0sOk3jEk1bKwbeNfKyCzzfA==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/496289019/edit_form?textarea_id=issuecomment-496289019-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI5MjM0OQ=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI5MjM0OQ==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDQ5NjI5MjM0OQ==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/dmethvin/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/dmethvin"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/157858?s=80&u=7ae3f98f7bc0955e06b241ec28d78abc53db7e7b&v=4" width="40" height="40" alt="@dmethvin" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-496292349"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="014c7a49622135ab7aa0017399b001511814c496857be85a521308b17168daa4"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-496292349-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/dmethvin/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/dmethvin">dmethvin</a> </strong> commented <a href="#issuecomment-496292349" id="issuecomment-496292349-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-05-27T19:37:44Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Yeah, this is a tough one. The team has discussed it for years and had issues determining how to make things safer without seriously redesigning the API. Most of our HTML goes through <code class="notranslate">jQuery.parseHTML()</code> and <code class="notranslate">jQuery.htmlPrefilter()</code> so it is currently possible to try and sanitize through that. There's the one fast path for <code class="notranslate">.html(string)</code> that assigns directly to <code class="notranslate">.innerHTML</code> but that already goes through the prefilter and could just be taken out if needed. The others are Sizzle feature checks for browsers we won't support in 4.0 anyway.</p> <p dir="auto">Perhaps we could recognize a Trusted Type and pass it through as if were HTML, but not actually do any manipulation with it, e.g. <code class="notranslate">$("div").append(someTrustedType)</code>. (As an aside, I would hope that a Trusted Type doesn't return an HTML representation when you call <code class="notranslate">.toString()</code> on it.)</p> <p dir="auto">Seems like they've taken old browsers into account with a <a href="https://github.com/WICG/trusted-types#tinyfill">simple polyfill</a> that just returns strings if the browser doesn't support Trusted Types.</p> <p dir="auto">But given where the implementations are at, it is probably too early to add any code.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="gCAiQZIvZavw9bcAIqBe3WVvChbpACVG5DqaDYbsS1-EZInv0n83v3MgBD6N9VVy3TYjpDKKmPt4kxXZWEl5UQ" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDQ5NjI5MjM0OQ=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-496292349-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/496292349" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="wM9+uitknMKpvDb33F7loluvskGeQ/QcX8voAgNoOGX3X/nIs6LSlLedYn6/mr/XSDw7ihvPb0L4Em8rpXY2mw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/496292349/edit_form?textarea_id=issuecomment-496292349-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI5NjE5MA=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5NjI5NjE5MA==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDQ5NjI5NjE5MA==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/10137?s=80&v=4" width="40" height="40" alt="@ghost" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-496296190"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="71276389a0e924d4281d15275d722bf93926f793edecc3b2d0001425dbb56da0"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-496296190-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="You are the author of this issue." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Author</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/ghost/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ghost">ghost</a> </strong> commented <a href="#issuecomment-496296190" id="issuecomment-496296190-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-05-27T20:03:13Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I will add an extra comment as you added a '<strong>needs info</strong>' label. I totally understand that the Trusted Types API is right now in a trial. I thought maybe this issue could be dealt with in your future updates like in V4.0.0 and by then the API would have changed from a trial / draft spec to a more stable spec.</p> <p dir="auto">When I did a quick play around with Trusted Types API and jQuery V3.4.1 I got the following results:</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/17784082/58437472-0789e880-80c2-11e9-9675-e1297f5b80ec.png"><img src="https://user-images.githubusercontent.com/17784082/58437472-0789e880-80c2-11e9-9675-e1297f5b80ec.png" alt="58434496-dc989800-80b3-11e9-9f2f-2eabe3d329a4" style="max-width: 100%;"></a></p> <p dir="auto">DomPurifer have added this API see here for further details: <a href="https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types">https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types</a></p> <p dir="auto">I can't really say anymore and leave this issue open to other people to comment and add extra info and ideas.</p> <p dir="auto">I feel it would be a good feature request for jQuery in the near future and decided to open this issue in that regard. We all know about this problem for a long time, but a full solution has never been added yet.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="urPPOMCoqGjlvS22f4LNGaBACq0zWpJXoxvXi_MYIa6-92SWgPj6fGZonojQ18a2GBkjH-jQL-o_slhfLb0ToA" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDQ5NjI5NjE5MA=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-b07515" value="THUMBS_UP react" data-button-index-position="0" data-reaction-label="+1" data-reaction-content="+1" aria-pressed="false" aria-label="react with thumbs up" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji">👍</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-9fd68557-c1d0-4ea2-b544-08f6e1154765" for="reactions--reaction_button_component-b07515" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">Splaktar reacted with thumbs up emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="Splaktar reacted with thumbs up emoji"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji mr-2">👍</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-496296190-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/496296190" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="xTsfURcf6BbHDmXc/vUrQBN5ackpv65JYdFP2uRxeeY/7m7MGXRLbpR9JwVYuiK8I8WRg7kcjpqFA13DsZSS+Q==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/496296190/edit_form?textarea_id=issuecomment-496296190-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOkxhYmVsZWRFdmVudDIzNzAxMDE2MDA="> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-2370101600"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added <a id="label-616c47" href="/jquery/jquery/labels/Needs%20review" data-name="Needs review" style="--label-r:251;--label-g:202;--label-b:4;--label-h:48;--label-s:96;--label-l:50;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Needs review </a> and removed <a id="label-21061b" href="/jquery/jquery/labels/Needs%20info" data-name="Needs info" style="--label-r:0;--label-g:0;--label-b:0;--label-h:0;--label-s:0;--label-l:0;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Needs info </a> labels <a href="#event-2370101600" class="Link--secondary"><relative-time datetime="2019-05-27T20:07:53Z" class="no-wrap">May 27, 2019</relative-time></a> </div> </div> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-2385470488"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-milestone color-fg-inherit"> <path d="M7.75 0a.75.75 0 0 1 .75.75V3h3.634c.414 0 .814.147 1.13.414l2.07 1.75a1.75 1.75 0 0 1 0 2.672l-2.07 1.75a1.75 1.75 0 0 1-1.13.414H8.5v5.25a.75.75 0 0 1-1.5 0V10H2.75A1.75 1.75 0 0 1 1 8.25v-3.5C1 3.784 1.784 3 2.75 3H7V.75A.75.75 0 0 1 7.75 0Zm4.384 8.5a.25.25 0 0 0 .161-.06l2.07-1.75a.248.248 0 0 0 0-.38l-2.07-1.75a.25.25 0 0 0-.161-.06H2.75a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h9.384Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added this to the <a href="/jquery/jquery/milestone/7" class="Link--primary text-bold">4.0.0</a> milestone <a href="#event-2385470488" class="Link--secondary"><relative-time datetime="2019-06-03T16:18:42Z" class="no-wrap">Jun 3, 2019</relative-time></a> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5ODMyNjEwNQ=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDQ5ODMyNjEwNQ==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDQ5ODMyNjEwNQ==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-498326105"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="eca1ac13c53fc5e20f97e9d7f2d8b2d8397a4bcf2dcf6d9e1457eb04b6433e18"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-498326105-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-498326105" id="issuecomment-498326105-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-06-03T16:19:27Z" class="no-wrap">Jun 3, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I added it to the 4.0.0 milestone so that we don’t forget about it when we get closer to the release.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="WfohVeKYx8bMqgRv6hTKFt0rTFpC0kblH4--toG7Jutdvor7osiV0k9_t1FFQcG5ZXJl6JlY-1iDJjFiXx4U5Q" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDQ5ODMyNjEwNQ=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-0bdbca" value="THUMBS_UP react" data-button-index-position="0" data-reaction-label="+1" data-reaction-content="+1" aria-pressed="false" aria-label="react with thumbs up" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji">👍</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-c840aab2-c11d-4fac-aeb6-8b76b8c9ab4c" for="reactions--reaction_button_component-0bdbca" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">Splaktar reacted with thumbs up emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="Splaktar reacted with thumbs up emoji"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji mr-2">👍</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-498326105-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/498326105" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="zwgWv446kQL20ET4Nfs/r/LrPUIHn3JNU0v25jfRiA9InVUoViMXmoW+L7hW5TWl1PwpD+9Wk8KYHbOAzMsA1Q==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/498326105/edit_form?textarea_id=issuecomment-498326105-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDUwMDQ2OTI0Mg=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDUwMDQ2OTI0Mg==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDUwMDQ2OTI0Mg==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/timmywil/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/timmywil"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/192451?s=80&u=87bb288625344ca77e806bf83a5ab82b3645fbe9&v=4" width="40" height="40" alt="@timmywil" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-500469242"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="104784e9f6d7fbee913cc49ede7e320ad7c9e3667c1668de762d233d34e0e019"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-500469242-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/timmywil/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/timmywil">timmywil</a> </strong> commented <a href="#issuecomment-500469242" id="issuecomment-500469242-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2019-06-10T15:51:04Z" class="no-wrap">Jun 10, 2019</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I'm in favor of this. We'll keep an eye on the spec status and revisit later.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="u8Jl6ECWDu9Fa6t-Nr9xsUhjK8b8def7cW4J_MVIsWi_hs5GAMZc-8a-GECZ6noe8DoCdCf_Wkbtx4YoG-2DZg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDUwMDQ2OTI0Mg=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-500469242-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/500469242" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="EYfSgYeV2Ofkl9BaJIQ/w+TuX7OBD1P9wQRHjl/XmVKNJomFNTudPDkuS+RtMr4zAvS2ohYGBvnvzLwmUm9wkw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/500469242/edit_form?textarea_id=issuecomment-500469242-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDE0OlVubGFiZWxlZEV2ZW50MjQwMTM5MTY2OQ=="> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-2401391669"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/timmywil/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/timmywil"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/192451?s=40&u=87bb288625344ca77e806bf83a5ab82b3645fbe9&v=4" width="20" height="20" alt="@timmywil" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/timmywil/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/timmywil">timmywil</a> removed the <a id="label-686db8" href="/jquery/jquery/labels/Needs%20review" data-name="Needs review" style="--label-r:251;--label-g:202;--label-b:4;--label-h:48;--label-s:96;--label-l:50;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Needs review </a> label <a href="#event-2401391669" class="Link--secondary"><relative-time datetime="2019-06-10T15:51:08Z" class="no-wrap">Jun 10, 2019</relative-time></a> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <img src="https://avatars.githubusercontent.com/u/10137?s=32&v=4" alt="@ghost" height="20" width="20" class="avatar avatar-user"> <strong class="author">ghost</strong> mentioned this issue <a class="Link--secondary" href="#ref-issue-490651565" > <relative-time datetime="2019-09-07T23:31:38Z" class="no-wrap">Sep 7, 2019</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-490651565" > <a href="/octobercms/october/issues/4607" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/octobercms/october/issues/4607/hovercard"> October CMS version 2 <span class="color-fg-muted text-normal" >octobercms/october#4607</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Closed" data-view-component="true" class="State State--merged State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-closed flex-items-center mr-1"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> Closed </span> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNDIzMTIwMg=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNDIzMTIwMg==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzNDIzMTIwMg==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-634231202"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="57dfc752f0b141af25c3a74ce262bb447b4d73bd36d27ba1753531228f3c45bb"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-634231202-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-634231202" id="issuecomment-634231202-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-05-26T19:30:57Z" class="no-wrap">May 26, 2020</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="621606293" data-permission-text="Title is private" data-url="https://github.com/angular/angular.js/issues/17028" data-hovercard-type="pull_request" data-hovercard-url="/angular/angular.js/pull/17028/hovercard" href="https://github.com/angular/angular.js/pull/17028">angular/angular.js#17028</a> has some code that I'd like to backport to jQuery, at least to the <code class="notranslate">master</code> branch. It might be hard to do on the 3.x line as IE 9 needs the existing approach so we'd have to fork logic, increasing the size significantly which we usually try to avoid.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="oRqsFkP_9lgTuNtKUOL0pGg6ObcI_oWJiKosiQiGAhilXge4A6-kTJBtaHT_t_8L0GMQBdN0ODQUA6Nd1iMwFg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzNDIzMTIwMg=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-8877f1" value="THUMBS_UP react" data-button-index-position="0" data-reaction-label="+1" data-reaction-content="+1" aria-pressed="false" aria-label="react with thumbs up" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji">👍</g-emoji> <span class="js-discussion-reaction-group-count">2</span> </button> <tool-tip id="tooltip-70923abb-191f-45af-8e10-71c0d5aff050" for="reactions--reaction_button_component-8877f1" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">Splaktar and melloware reacted with thumbs up emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="Splaktar and melloware reacted with thumbs up emoji"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji mr-2">👍</g-emoji> <span>2 reactions</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-634231202-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/634231202" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="iZl/zSQEFFbacbPbQANVAzPCbFmAbROlwX4y9PU5o0A3laDL8IU8BEp6UI7BioAd8dmX8axdwZDO0xEi8eZaLg==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/634231202/edit_form?textarea_id=issuecomment-634231202-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEzOkFzc2lnbmVkRXZlbnQzMzc1MDU5MDg0"> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-3375059084"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-person color-fg-inherit"> <path d="M10.561 8.073a6.005 6.005 0 0 1 3.432 5.142.75.75 0 1 1-1.498.07 4.5 4.5 0 0 0-8.99 0 .75.75 0 0 1-1.498-.07 6.004 6.004 0 0 1 3.431-5.142 3.999 3.999 0 1 1 5.123 0ZM10.5 5a2.5 2.5 0 1 0-5 0 2.5 2.5 0 0 0 5 0Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> self-assigned this <a href="#event-3375059084" class="Link--secondary"><relative-time datetime="2020-05-26T19:31:02Z" class="no-wrap">May 26, 2020</relative-time></a> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/Splaktar/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/Splaktar"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/3506071?s=40&v=4" width="20" height="20" alt="@Splaktar" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/Splaktar/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/Splaktar">Splaktar</a> mentioned this issue <a class="Link--secondary" href="#ref-pullrequest-621606293" > <relative-time datetime="2020-05-26T20:01:22Z" class="no-wrap">May 26, 2020</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-pullrequest-621606293" > <a href="/angular/angular.js/pull/17028" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="pull_request" data-hovercard-url="/angular/angular.js/pull/17028/hovercard"> fix(jqLite): prevent possible XSS due to regex-based HTML replacement <span class="color-fg-muted text-normal" >angular/angular.js#17028</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Merged" data-view-component="true" class="State State--merged State--small"> <svg height="14" class="octicon octicon-git-merge" viewBox="0 0 16 16" version="1.1" width="14" aria-hidden="true"><path d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z"></path></svg> Merged </span> </div> </div> <tracked-issues-progress data-total="3" data-completed="0" data-type="other"> <div class="d-inline-flex flex-row flex-items-center text-small"> <span data-target="tracked-issues-progress.checklist" style="display: inline"> <svg style="display: inline" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-checklist"> <path d="M2.5 1.75v11.5c0 .138.112.25.25.25h3.17a.75.75 0 0 1 0 1.5H2.75A1.75 1.75 0 0 1 1 13.25V1.75C1 .784 1.784 0 2.75 0h8.5C12.216 0 13 .784 13 1.75v7.736a.75.75 0 0 1-1.5 0V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13.274 9.537v-.001l-4.557 4.45a.75.75 0 0 1-1.055-.008l-1.943-1.95a.75.75 0 0 1 1.062-1.058l1.419 1.425 4.026-3.932a.75.75 0 1 1 1.048 1.074ZM4.75 4h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1 0-1.5ZM4 7.75A.75.75 0 0 1 4.75 7h2a.75.75 0 0 1 0 1.5h-2A.75.75 0 0 1 4 7.75Z"></path> </svg> </span> <span style="transform:rotate(-90deg); width:12px; height:12px; display: none"> <svg width="12" height="12" data-target="tracked-issues-progress.progress" data-circumference="31" > <circle stroke="var(--borderColor-accent-muted, var(--color-accent-subtle))" stroke-width="2" fill="transparent" cx="50%" cy="50%" r="5" /> <circle data-target="tracked-issues-progress.stroke" style="transition: stroke-dashoffset 0.35s; transform: rotate(5.806451612903226deg); transform-origin: center" stroke="var(--fgColor-accent, var(--color-accent-fg))" stroke-width="2" stroke-dasharray="31" stroke-dashoffset="32.0" stroke-linecap="round" fill="transparent" cx="50%" cy="50%" r="5" /> </svg> </span> <span class="text-normal no-wrap mr-1 ml-1" data-target="tracked-issues-progress.label">3 tasks</span> </div> </tracked-issues-progress> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNDYyNzg4Mw=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNDYyNzg4Mw==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzNDYyNzg4Mw==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-634627883"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="7888d7deb621e5d653b3f104cc351b047fe751f87e025b431098df42da8352fe"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-634627883-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-634627883" id="issuecomment-634627883-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-05-27T12:31:00Z" class="no-wrap">May 27, 2020</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Bringing in the comment from <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="621606293" data-permission-text="Title is private" data-url="https://github.com/angular/angular.js/issues/17028" data-hovercard-type="pull_request" data-hovercard-url="/angular/angular.js/pull/17028/hovercard" href="https://github.com/angular/angular.js/pull/17028">angular/angular.js#17028</a></p> <blockquote> <p dir="auto">I've been thinking about including similar improvements [Trusted Types support] to jQuery. AngularJS has included code specific to APIs not available cross-browser like Chrome apps and now possibly trusted types but jQuery has historically avoided such things. Avoiding innerHTML for wrapping like done in this PR would work but we wouldn't want to mention the TrustedHTML constructor explicitly as long as it's a Blink-only feature.</p> </blockquote> <p dir="auto">To clarify, TT are intended to be rolled out as a regular web API, but you're correct - for now this is only implemented in Blink (and <a href="https://github.com/w3c/webappsec-trusted-types#polyfill">polyfilled</a> in other browsers).</p> <blockquote> <p dir="auto">Do you think there's any other way to support this use case without mentioning any trusted types API explicitly? I'm asking here as if it's possible maybe the same technique could be applied here. If you prefer to continue this part of the discussion on the jQuery side, there's an open issue about trusted types support: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">#4409</a>.</p> </blockquote> <p dir="auto">In general most of jQuery APIs seem to fit well into what we call "tt-agnostic" bucket. In other words, they should be able to accept TT instances (in place of strings) and pass them without modification to DOM.</p> <p dir="auto">Some of jQuery behavior violates that. For example, some of the tag wrapping code + self-closing tag expansion that was just changed due to XSS issues. Large parts of these patterns could be gated on browser checks, especially if they workaround some legacy browser behavior.</p> <p dir="auto">Some things still remain though, e.g. jQuery IIRC still expands <code class="notranslate"><script></code> nodes and tries to execute them separately -- and in general jQuery APIs are quite polymorphic, trying to detect the parameter type and do the appropriate thing (<code class="notranslate">jQuery()</code>function for example is very much like that). This paradigm may make it difficult to untangle and simply add support for a new value type, as you might often collide with types already passed to your functions in the wild.</p> <p dir="auto">Usually there is a way to become tt-agnostic with no backward compatibility issues without referencing TrustedTypes at all, as DOM APIs are very rarely called with Objects, and Trusted Type instances are Objects. Unfortunately, jQuery offers a very limited API for <a href="https://api.jquery.com/jQuery/#jQuery-object" rel="nofollow">jQuery(plainObject)</a> case. The only way I see is to not recognise TrustedTypes as <code class="notranslate">isPlainObject</code>s and introduce a branch for "immutable HTML objects" in <code class="notranslate">jQuery()</code>, opting them out of modifications. But this requires referencing TT.</p> <p dir="auto">Adding such support should not cause b/w compatibility issues, as it's simply a new way of using jQuery APIs (one that happens not to violate TT restrictions that might be present in your CSP), that some applications may use. I'm confident that with relatively small changes we might be able to support most use cases.</p> <p dir="auto">That said, I'm a bit skeptical <em>all</em> applications using jQuery could migrate to "TT mode" by a single configuration switch. Quite likely some jQuery functions would have to change the behavior, error out, or produce types internally when called with Trusted Types (<code class="notranslate">script</code> node reparsing comes to mind). It's a judgement call on how to treat each of the cases like this. For example, perhaps jQuery customer could configure it with a <a href="https://web.dev/trusted-types/#create-a-trusted-type-policy" rel="nofollow">policy</a> to call when it needs to change HTML - giving users a hook to sanitize the resulting HTML. You could call it a <code class="notranslate">htmlPostFilter</code> function and not reference TT there at all. But some things (e.g. cross-frame issues) will likely remain incompatible with TT, and would need a change in the application.</p> <p dir="auto">One important thing to note is that TT should not be treated as "better strings for HTML", and you should never <em>return</em> a Trusted Type when the caller expects a string - we got bit by this when making <code class="notranslate">DOMPurify.sanitize</code>return a TrustedHTML, that broke projects that called <code class="notranslate">DOMPurify.sanitize(foo).replace</code> - a method that does not exist. But jQuery, to my understanding should not return a Trusted Type, but rather accept it (or, perhaps produce it and use internally).</p> <p dir="auto">I'm happy to help with fleshing out the integration, or even brainstorming about issues with one. While I don't have tons experience with recent jQuery, we have done our share of TT integrations already and know some best practices and antipatterns. What would be the next best steps?</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="yTDbOwBdjIBsBXCkCuPsmGd46Sx-wEfE9EbbYpQig8zNdHCVQA3elO_Qw5qltuc33yHAnqVK-nlo71S2Soexwg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzNDYyNzg4Mw=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-d3e735" value="THUMBS_UP react" data-button-index-position="0" data-reaction-label="+1" data-reaction-content="+1" aria-pressed="false" aria-label="react with thumbs up" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji">👍</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-927fd9fb-8442-4ebe-aec3-ce9e92fb816e" for="reactions--reaction_button_component-d3e735" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">Sora2455 reacted with thumbs up emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="Sora2455 reacted with thumbs up emoji"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji mr-2">👍</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-634627883-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/634627883" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="D17wyeA1VthcveuAua3JxgctkLFTXLI9+rEmiF79d9CCZm578sUHYcmdiWQvC1XxlC4pnVrOhdXnUhB62xbaCQ==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/634627883/edit_form?textarea_id=issuecomment-634627883-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNjAzNjY2MA=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNjAzNjY2MA==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzNjAzNjY2MA==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-636036660"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="39b4d4c6be97d659dce001bc775c26475b472fd6b6b35fe222fc239b2ec57cee"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-636036660-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-636036660" id="issuecomment-636036660-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-05-29T15:29:42Z" class="no-wrap">May 29, 2020</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> Thanks for a detailed comment!</p> <blockquote> <p dir="auto">In general most of jQuery APIs seem to fit well into what we call "tt-agnostic" bucket. In other words, they should be able to accept TT instances (in place of strings) and pass them without modification to DOM.</p> <p dir="auto">Some of jQuery behavior violates that. For example, some of the tag wrapping code + self-closing tag expansion that was just changed due to XSS issues.</p> </blockquote> <p dir="auto">Fortunately, that function has been changed to an identity function in jQuery 3.5.0 so it'd no longer break a trusted type wrapped HTML.</p> <blockquote> <p dir="auto">Large parts of these patterns could be gated on browser checks, especially if they workaround some legacy browser behavior.</p> </blockquote> <p dir="auto">There's an important aspect here. jQuery generally avoids browser detection, instead opting for support tests. The <code class="notranslate">master</code> branch doesn't contain a lot of them right now as most were meant for IE which we now just detect via <code class="notranslate">document.documentMode</code> but that's the only browser sniffing we accept (as IE is feature-dead so the risk is low). Those feature tests sometimes need to use <code class="notranslate">innerHTML</code>-based assignments, see e.g. this test for a Safari 8 issue:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17">https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17</a><br> While we don't have many tests like that - and none on <code class="notranslate">master</code> at the moment, we can't be sure there won't be a need for a new one in the future.</p> <p dir="auto">We already had to be careful here due to CSP issues which we test for:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/test/unit/support.js#L40-L55">https://github.com/jquery/jquery/blob/3.5.1/test/unit/support.js#L40-L55</a><br> but it doesn't block <code class="notranslate">innerHTML</code> as a whole which Trusted Types enforcement would do.</p> <p dir="auto">I feel this is a more generic issue with CSP, though: what we need is a way to run support tests in a secure way that's not blocked by CSP. The environment where we run them could be isolated from the real webpage in which case there would be no security risk even if we used inline code, raw HTML strings, etc. Is it likely we'll get something like that?</p> <blockquote> <p dir="auto">Some things still remain though, e.g. jQuery IIRC still expands <code class="notranslate"><script></code> nodes and tries to execute them separately</p> </blockquote> <p dir="auto">That's a good argument for us to stop doing that by default in jQuery 4. This would be a significant breaking change, though, so we'd still need to add a non-default way to keep the old behavior.</p> <blockquote> <p dir="auto">Usually there is a way to become tt-agnostic with no backward compatibility issues without referencing TrustedTypes at all, as DOM APIs are very rarely called with Objects, and Trusted Type instances are Objects. Unfortunately, jQuery offers a very limited API for <a href="https://api.jquery.com/jQuery/#jQuery-object" rel="nofollow">jQuery(plainObject)</a> case. The only way I see is to not recognise TrustedTypes as <code class="notranslate">isPlainObject</code>s and introduce a branch for "immutable HTML objects" in <code class="notranslate">jQuery()</code>, opting them out of modifications. But this requires referencing TT.</p> </blockquote> <p dir="auto">This API only accepts plain objects, though. We could perhaps make that explicit & treat non-plain objects in a different manner. The only issue is that the <code class="notranslate">jQuery()</code> function mostly serves two purposes: as a shortcut of <code class="notranslate">jQuery(cssSelector)</code> to <code class="notranslate">$(document).find(cssSelector)</code> and as a mechanism to create new elements representing a provided HTML string which more or less depends on whether the string starts with <code class="notranslate"><</code>, possibly preceded by whitespace:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/src/core/init.js#L36-L41">https://github.com/jquery/jquery/blob/3.5.1/src/core/init.js#L36-L41</a><br> or:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/src/core/init.js#L50-L51">https://github.com/jquery/jquery/blob/3.5.1/src/core/init.js#L50-L51</a><br> This is such a fundamental property of the library that it's impossible to give up on this polymorphism. Maybe it's not an issue since trusted HTML stringifies to the underlying HTML, though, we'd just need to cast it to string before running the checks?</p> <p dir="auto">I feel a bit uneasy to explicitly mention the API in jQuery source; we've seen it a few times that APIs only supported by one browser may disappear or change significantly before being accepted accross all the major engines and then we'd often have to support both the old & new APIs. I'd like to first research how far we can go without relying on the API explicitly.</p> <blockquote> <p dir="auto">I'm happy to help with fleshing out the integration, or even brainstorming about issues with one. While I don't have tons experience with recent jQuery, we have done our share of TT integrations already and know some best practices and antipatterns. What would be the next best steps?</p> </blockquote> <p dir="auto">I think I'll first backport the AngularJS changes to jQuery <code class="notranslate">master</code> & then the next step would be to try to fix the <code class="notranslate">jQuery()</code> method to not break on trusted types via means I described above. For now I'd focus on the <code class="notranslate">master</code> branch; if we make it there, we could consider whether that's possible to backport to the 3.x line, although I'm a bit skeptical here.</p> <p dir="auto">It'd also help if we had an answer for how to handle support tests in a secure, CSP-compliant way; in particular, if we can get any browser APIs that would allow them to run in a sandboxed environment even with CSP enabled.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="nttKIbozodVyTn3Hj8TEPNk0jvWE9sCgGqVYC6fNrPqan-GP-mPzwfGbzvkgkc-TYW2nR198fR2GDNffeWie9A" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzNjAzNjY2MA=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-636036660-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/636036660" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="jOxmRirW9fyAxN4NEpsVaPdbLKMifwdvCLrhUEFv0KBWClw2m2hdIeIX5HF7fw1EQF6gROBwjQauwfIozi3VPw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/636036660/edit_form?textarea_id=issuecomment-636036660-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDE1OlJlZmVyZW5jZWRFdmVudDMzOTEwMTAxNDA="> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-b9588a7"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit that referenced this issue <a href="#ref-commit-b9588a7" class="Link--secondary"> <relative-time datetime="2020-05-31T21:54:02Z" class="no-wrap">May 31, 2020</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzoxNjcxNzQ6Y29tbWl0OmI5NTg4YTc1NThmNTQ2ZTAzMjhjYTIzNzViNzgzZGQyZWVjYWFmMDEiLCJ0IjoxNzMyODQwMTcwfQ==--88fa2893fd3915f41ab71d3323d67d2521acfb3ec38148dadbd9d5aa95d70cd8" data-url="/jquery/jquery/commit/b9588a7558f546e0328ca2375b783dd2eecaaf01/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Manipulation: Avoid concatenating strings in buildFragment Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref gh-4409" data-pjax="true" class="Link--secondary markdown-title" href="/jquery/jquery/commit/b9588a7558f546e0328ca2375b783dd2eecaaf01">Manipulation: Avoid concatenating strings in buildFragment</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0MTY3MTc0OmI5NTg4YTc1NThmNTQ2ZTAzMjhjYTIzNzViNzgzZGQyZWVjYWFmMDE=" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/jquery/jquery/commit/b9588a7558f546e0328ca2375b783dd2eecaaf01" class="Link--secondary">b9588a7</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](<a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a>). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">gh-4409</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-pullrequest-628051700" > <relative-time datetime="2020-05-31T21:54:41Z" class="no-wrap">May 31, 2020</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-pullrequest-628051700" > <a href="/jquery/jquery/pull/4723" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4723/hovercard"> [] <span class="color-fg-muted text-normal" >#4723</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Closed" data-view-component="true" class="State State--closed State--small"> <svg height="14" class="octicon octicon-git-pull-request-closed" viewBox="0 0 16 16" version="1.1" width="14" aria-hidden="true"><path d="M3.25 1A2.25 2.25 0 0 1 4 5.372v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.251 2.251 0 0 1 3.25 1Zm9.5 5.5a.75.75 0 0 1 .75.75v3.378a2.251 2.251 0 1 1-1.5 0V7.25a.75.75 0 0 1 .75-.75Zm-2.03-5.273a.75.75 0 0 1 1.06 0l.97.97.97-.97a.748.748 0 0 1 1.265.332.75.75 0 0 1-.205.729l-.97.97.97.97a.751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018l-.97-.97-.97.97a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l.97-.97-.97-.97a.75.75 0 0 1 0-1.06ZM2.5 3.25a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0ZM3.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm9.5 0a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path></svg> Closed </span> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNjUzNTk4Mw=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzNjUzNTk4Mw==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzNjUzNTk4Mw==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-636535983"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="eb78959f17ac04687b09fcdf140bdbd601c7276247875f475773dc23843cb5b6"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-636535983-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-636535983" id="issuecomment-636535983-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-05-31T21:55:24Z" class="no-wrap">May 31, 2020</relative-time></a> <span class="js-comment-edit-history"> <span class="d-inline-block color-fg-muted">•</span> <details class="details-overlay details-reset d-inline-block dropdown hx_dropdown-fullscreen"> <summary class="btn-link no-underline color-fg-muted js-notice"> <div class="position-relative"> <span> edited </span> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-triangle-down v-align-middle"> <path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path> </svg> </div> </summary> <details-menu class="dropdown-menu dropdown-menu-s width-auto py-0 js-comment-edit-history-menu" style="max-width: 352px; z-index: 99;" src="/user_content_edits/show_edit_history_log/MDEyOklzc3VlQ29tbWVudDYzNjUzNTk4Mw==" preload > <include-fragment class="my-3" style="min-width: 100px;" aria-label="Loading..."> <span data-view-component="true"> <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" aria-hidden="true" data-view-component="true" class="mx-auto d-block anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg> <span class="sr-only">Loading</span> </span> </include-fragment> </details-menu> </details> </span> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">The first PR (backporting some AngularJS changes) is ready for review at <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">#4724</a>.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="WF5szWRig0kQtS6fSTyasr3qF302094MNRvOkxyfQp1cGsdjJDLRXZNgnaHmaZEdBbM-z-1ZY7GpskFHwjpwkw" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzNjUzNTk4Mw=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-0a8ef1" value="HOORAY react" data-button-index-position="3" data-reaction-label="Hooray" data-reaction-content="tada" aria-pressed="false" aria-label="react with hooray" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="tada" fallback-src="https://github.githubassets.com/assets/1f389-36899a2cb781.png" class="social-button-emoji">🎉</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-c2abae01-cd2b-4123-a3af-1f808d09ae4a" for="reactions--reaction_button_component-0a8ef1" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">timmywil reacted with hooray emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="timmywil reacted with hooray emoji"> <g-emoji alias="tada" fallback-src="https://github.githubassets.com/assets/1f389-36899a2cb781.png" class="social-button-emoji mr-2">🎉</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-636535983-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/636535983" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="b12RYIUjLLXtiRIXSKcMHsjomH5b0Fj4v+Fix4O/taqh/kgCsNeeWEhkxbeJ9+AbNHGw2t08HZqCjV0X6fFZNA==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/636535983/edit_form?textarea_id=issuecomment-636535983-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDIwOkNyb3NzUmVmZXJlbmNlZEV2ZW50MTAzNTQ3OTM1Nw=="> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-pullrequest-628052090" > <relative-time datetime="2020-05-31T21:57:20Z" class="no-wrap">May 31, 2020</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-pullrequest-628052090" > <a href="/jquery/jquery/pull/4724" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard"> Manipulation: Avoid concatenating strings in buildFragment <span class="color-fg-muted text-normal" >#4724</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Merged" data-view-component="true" class="State State--merged State--small"> <svg height="14" class="octicon octicon-git-merge" viewBox="0 0 16 16" version="1.1" width="14" aria-hidden="true"><path d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z"></path></svg> Merged </span> </div> </div> <tracked-issues-progress data-total="3" data-completed="0" data-type="other"> <div class="d-inline-flex flex-row flex-items-center text-small"> <span data-target="tracked-issues-progress.checklist" style="display: inline"> <svg style="display: inline" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-checklist"> <path d="M2.5 1.75v11.5c0 .138.112.25.25.25h3.17a.75.75 0 0 1 0 1.5H2.75A1.75 1.75 0 0 1 1 13.25V1.75C1 .784 1.784 0 2.75 0h8.5C12.216 0 13 .784 13 1.75v7.736a.75.75 0 0 1-1.5 0V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13.274 9.537v-.001l-4.557 4.45a.75.75 0 0 1-1.055-.008l-1.943-1.95a.75.75 0 0 1 1.062-1.058l1.419 1.425 4.026-3.932a.75.75 0 1 1 1.048 1.074ZM4.75 4h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1 0-1.5ZM4 7.75A.75.75 0 0 1 4.75 7h2a.75.75 0 0 1 0 1.5h-2A.75.75 0 0 1 4 7.75Z"></path> </svg> </span> <span style="transform:rotate(-90deg); width:12px; height:12px; display: none"> <svg width="12" height="12" data-target="tracked-issues-progress.progress" data-circumference="31" > <circle stroke="var(--borderColor-accent-muted, var(--color-accent-subtle))" stroke-width="2" fill="transparent" cx="50%" cy="50%" r="5" /> <circle data-target="tracked-issues-progress.stroke" style="transition: stroke-dashoffset 0.35s; transform: rotate(5.806451612903226deg); transform-origin: center" stroke="var(--fgColor-accent, var(--color-accent-fg))" stroke-width="2" stroke-dasharray="31" stroke-dashoffset="32.0" stroke-linecap="round" fill="transparent" cx="50%" cy="50%" r="5" /> </svg> </span> <span class="text-normal no-wrap mr-1 ml-1" data-target="tracked-issues-progress.label">3 tasks</span> </div> </tracked-issues-progress> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-8a24861"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-8a24861" class="Link--secondary"> <relative-time datetime="2020-05-31T21:59:36Z" class="no-wrap">May 31, 2020</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo4YTI0ODYxY2ZmOGZhMzExODQ4OTY3ODczOWJhNWVmZDAyYzlkZmJmIiwidCI6MTczMjg0MDE3MH0=--8d06670914342f59cf32342bb522b39bad5ed91963613c726e65a5ff6b4e372c" data-url="/mgol/jquery/commit/8a24861cff8fa3118489678739ba5efd02c9dfbf/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Manipulation: Avoid concatenating strings in buildFragment Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref gh-4409" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/8a24861cff8fa3118489678739ba5efd02c9dfbf">Manipulation: Avoid concatenating strings in buildFragment</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTo4YTI0ODYxY2ZmOGZhMzExODQ4OTY3ODczOWJhNWVmZDAyYzlkZmJm" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/8a24861cff8fa3118489678739ba5efd02c9dfbf" class="Link--secondary">8a24861</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](<a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a>). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-876c924"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-876c924" class="Link--secondary"> <relative-time datetime="2020-06-01T16:02:14Z" class="no-wrap">Jun 1, 2020</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo4NzZjOTI0M2Q2MmI4MmExNTMyNzNjZDkyYjk5ZDgyODIzMDkxMWVjIiwidCI6MTczMjg0MDE3MH0=--9dfc870c0a3dfcaf9839449b7b4df0c6887f321b79492df576f2127b63d6dd4e" data-url="/mgol/jquery/commit/876c9243d62b82a153273cd92b99d828230911ec/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Manipulation: Avoid concatenating strings in buildFragment Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref gh-4409" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/876c9243d62b82a153273cd92b99d828230911ec">Manipulation: Avoid concatenating strings in buildFragment</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTo4NzZjOTI0M2Q2MmI4MmExNTMyNzNjZDkyYjk5ZDgyODIzMDkxMWVj" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/876c9243d62b82a153273cd92b99d828230911ec" class="Link--secondary">876c924</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](<a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a>). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-da74354"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-da74354" class="Link--secondary"> <relative-time datetime="2020-06-01T16:25:57Z" class="no-wrap">Jun 1, 2020</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDpkYTc0MzU0NzI3MzZiNzRjNjRiZGE3YjA2NTY2YjE2ZTFlZjQzYmNjIiwidCI6MTczMjg0MDE3MH0=--28d30b016688bac9ba65460822efdf6849cc78b227029ce9330613af5ec928d1" data-url="/mgol/jquery/commit/da7435472736b74c64bda7b06566b16e1ef43bcc/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Manipulation: Avoid concatenating strings in buildFragment Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref gh-4409 Ref angular/angular.js#17028" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/da7435472736b74c64bda7b06566b16e1ef43bcc">Manipulation: Avoid concatenating strings in buildFragment</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTpkYTc0MzU0NzI3MzZiNzRjNjRiZGE3YjA2NTY2YjE2ZTFlZjQzYmNj" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/da7435472736b74c64bda7b06566b16e1ef43bcc" class="Link--secondary">da74354</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](<a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a>). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="621606293" data-permission-text="Title is private" data-url="https://github.com/angular/angular.js/issues/17028" data-hovercard-type="pull_request" data-hovercard-url="/angular/angular.js/pull/17028/hovercard" href="https://github.com/angular/angular.js/pull/17028">angular/angular.js#17028</a></pre> </div> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzODI2ODgzNg=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzODI2ODgzNg==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzODI2ODgzNg==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-638268836"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="1236e9b3c46f4f7f589834967c0e3f645ca28603e934f6903b3bc62ab0231909"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-638268836-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-638268836" id="issuecomment-638268836-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-06-03T15:23:09Z" class="no-wrap">Jun 3, 2020</relative-time></a> <span class="js-comment-edit-history"> <span class="d-inline-block color-fg-muted">•</span> <details class="details-overlay details-reset d-inline-block dropdown hx_dropdown-fullscreen"> <summary class="btn-link no-underline color-fg-muted js-notice"> <div class="position-relative"> <span> edited </span> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-triangle-down v-align-middle"> <path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path> </svg> </div> </summary> <details-menu class="dropdown-menu dropdown-menu-s width-auto py-0 js-comment-edit-history-menu" style="max-width: 352px; z-index: 99;" src="/user_content_edits/show_edit_history_log/MDEyOklzc3VlQ29tbWVudDYzODI2ODgzNg==" preload > <include-fragment class="my-3" style="min-width: 100px;" aria-label="Loading..."> <span data-view-component="true"> <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" aria-hidden="true" data-view-component="true" class="mx-auto d-block anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg> <span class="sr-only">Loading</span> </span> </include-fragment> </details-menu> </details> </span> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <blockquote> <blockquote> <p dir="auto">Large parts of these patterns could be gated on browser checks, especially if they workaround some legacy browser behavior.</p> </blockquote> <p dir="auto">There's an important aspect here. jQuery generally avoids browser detection, instead opting for support tests. The <code class="notranslate">master</code> branch doesn't contain a lot of them right now as most were meant for IE which we now just detect via <code class="notranslate">document.documentMode</code> but that's the only browser sniffing we accept (as IE is feature-dead so the risk is low). Those feature tests sometimes need to use <code class="notranslate">innerHTML</code>-based assignments, see e.g. this test for a Safari 8 issue:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17">https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17</a><br> While we don't have many tests like that - and none on <code class="notranslate">master</code> at the moment, we can't be sure there won't be a need for a new one in the future.</p> </blockquote> <p dir="auto">Understood. There's always a possibility that <code class="notranslate">innerHTML</code> (or other TT-conflicting functions) may be necessary to feature test a browser bug, but for the most part perhaps some of this could be gated on another feature test (e.g.<code class="notranslate">documentMode</code> for IE family). It's hard to predict without having a specific bug in mind, but -- potentially -- perhaps some of such problematic tests might be skipped in configuration. I see the problem though, thanks for the context.</p> <blockquote> <p dir="auto">We already had to be careful here due to CSP issues which we test for:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/test/unit/support.js#L40-L55">https://github.com/jquery/jquery/blob/3.5.1/test/unit/support.js#L40-L55</a><br> but it doesn't block <code class="notranslate">innerHTML</code> as a whole which Trusted Types enforcement would do.</p> <p dir="auto">I feel this is a more generic issue with CSP, though: what we need is a way to run support tests in a secure way that's not blocked by CSP. The environment where we run them could be isolated from the real webpage in which case there would be no security risk even if we used inline code, raw HTML strings, etc. Is it likely we'll get something like that?</p> </blockquote> <p dir="auto">I'm not sure I understand fully the use case here. Is this about production code doing feature testing that clashes with some CSP restrictions, or being able to configure the test environment easily? Can you reduce it to the smallest code snippet to distill the issue? In any case, browser changes take years to deploy, so it's not great either way :/</p> <blockquote> <blockquote> <p dir="auto">Some things still remain though, e.g. jQuery IIRC still expands <code class="notranslate"><script></code> nodes and tries to execute them separately</p> </blockquote> <p dir="auto">That's a good argument for us to stop doing that by default in jQuery 4. This would be a significant breaking change, though, so we'd still need to add a non-default way to keep the old behavior.</p> </blockquote> <p dir="auto">Understood. In general I think we can't get away with some configuration settings to control the behavior - after all, the whole idea is to reduce the attack surface, so it feels OK if jQuery users could voluntarily simply turn off the settings they don't need or find problematic. Trusted Types are here just an easy way of surfacing those risky areas. The exact shape of the configuration and what should the defaults be is of course decided by library owners.</p> <blockquote> <p dir="auto">This API only accepts plain objects, though. We could perhaps make that explicit & treat non-plain objects in a different manner.</p> </blockquote> <p dir="auto">The problem I'm seeing is I don't know how to <em>distinguish</em> POJO (or even typed objects) from Trusted Type objects without literally having <code class="notranslate">TrustedHTML</code> somewhere in the codebase. Calling a constructor for TT throws, so that's some indication, but perhaps calling a constructor for each non-string, non-element is too aggressive.</p> <p dir="auto">One of the ideas of making the lib TT agnostic would be e.g. allowing the users to specify which types they want jQuery to passthrough:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="$.addPassThroughHtmlType(TrustedHTML)"><pre class="notranslate"><code class="notranslate">$.addPassThroughHtmlType(TrustedHTML) </code></pre></div> <p dir="auto">and then jQuery would just make a <code class="notranslate">for</code> loop with <code class="notranslate">instanceof</code> checks to determine if <code class="notranslate">jQuery(object)</code> branch or <code class="notranslate">jQuery(passthroughHtml)</code> should be used.</p> <blockquote> <p dir="auto">Maybe it's not an issue since trusted HTML stringifies to the underlying HTML, though, we'd just need to cast it to string before running the checks?</p> </blockquote> <p dir="auto">If you're sure an object with a <code class="notranslate">toString</code> function was never used as a <code class="notranslate">jQuery(object)</code> case, that would work too. For POJO, it's simple, but there might be some backwards compatibility issue if typed objects (e.g. with a toString function) are actually used.</p> <blockquote> <p dir="auto">I feel a bit uneasy to explicitly mention the API in jQuery source; we've seen it a few times that APIs only supported by one browser may disappear or change significantly before being accepted accross all the major engines and then we'd often have to support both the old & new APIs.</p> </blockquote> <p dir="auto">Of course, no disagreements here - if it turns out feasible, that's ideal.</p> <blockquote> <p dir="auto">It'd also help if we had an answer for how to handle support tests in a secure, CSP-compliant way; in particular, if we can get any browser APIs that would allow them to run in a sandboxed environment even with CSP enabled.</p> </blockquote> <p dir="auto">I want to hear more about that. I'm not sure I'm answering the right question here, but there is a way to "break-out" of CSP restrictions, including Trusted Types. You either iframe a separate document that was loaded from a server (CSPs don't inherit), or iframe a <code class="notranslate">Blob:</code> URL (<a href="https://github.com/whatwg/html/issues/2593" data-hovercard-type="issue" data-hovercard-url="/whatwg/html/issues/2593/hovercard">CSP bug</a>). That gives you a fresh environment.</p> <p dir="auto">Slightly tangential to this, we were considering exposing a JS API to probe for the current CSP restrictions (<a href="https://w3c.github.io/webappsec-csp/api/" rel="nofollow">https://w3c.github.io/webappsec-csp/api/</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="279871236" data-permission-text="Title is private" data-url="https://github.com/w3c/trusted-types/issues/36" data-hovercard-type="issue" data-hovercard-url="/w3c/trusted-types/issues/36/hovercard" href="https://github.com/w3c/trusted-types/issues/36">w3c/trusted-types#36</a>), but we did not have strong enough use cases for this.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="f1t9FRXlxjAgzxh_p0LOHCKDO8sDZUR8Ut9es0SBQCd7H9a7VbWUJKMaq0EIF8WzmtoSedjv-cHOdtFnmiRyKQ" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzODI2ODgzNg=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-638268836-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/638268836" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="/ZvMi8dLCvtZWqM2tli6oIUQ/hfsyjdWmaok7kZ4sRjVYxNigrK5ZW4Ud143nSMfesS1DhJcaNZefm2GqIiLdA==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/638268836/edit_form?textarea_id=issuecomment-638268836-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDE1OlJlZmVyZW5jZWRFdmVudDM0MTIyNzY0MjE="> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-872affd"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-872affd" class="Link--secondary"> <relative-time datetime="2020-06-05T17:00:02Z" class="no-wrap">Jun 5, 2020</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo4NzJhZmZkM2JmZTdjNmYwYmNkZDQyMDQxMmY5NTUyNmRkYzg0NTkxIiwidCI6MTczMjg0MDE3MH0=--0ca5cc0f21421214c7b6905dd62cb9aab4778acde5d161b7623666e8f272df10" data-url="/mgol/jquery/commit/872affd3bfe7c6f0bcdd420412f95526ddc84591/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Manipulation: Avoid concatenating strings in buildFragment Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](https://web.dev/trusted-types/). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref gh-4409 Ref angular/angular.js#17028" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/872affd3bfe7c6f0bcdd420412f95526ddc84591">Manipulation: Avoid concatenating strings in buildFragment</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTo4NzJhZmZkM2JmZTdjNmYwYmNkZDQyMDQxMmY5NTUyNmRkYzg0NTkx" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/872affd3bfe7c6f0bcdd420412f95526ddc84591" class="Link--secondary">872affd</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">Concatenating HTML strings in buildFragment is a possible security risk as it creates an opportunity of escaping the concatenated wrapper. It also makes it impossible to support secure HTML wrappers like [trusted types](<a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a>). It's safer to create wrapper elements using `document.createElement` & `appendChild`. The previous way was needed in jQuery <4 because IE <10 doesn't accept table parts set via `innerHTML`, even if the element which contents are set is a proper table element, e.g.: ```js tr.innerHTML = "<td></td>"; ``` The whole structure needs to be passed in one HTML string. jQuery 4 drops support for IE <11 so this is no longer an issue; in older version we'd have to duplicate the code paths. IE <10 needed to have `<option>` elements wrapped in `<select multiple="multiple">` but we no longer need that on master which makes the `document.createElement` way shorter as we don't have to call `setAttribute`. jQuery 1.x sometimes needed to have more than one element in the wrapper that would precede parts wrapping HTML input so descending needed to use `lastChild`. Since all wrappers are single-element now, we can use `firstChild` which compresses better as it's used in other places in the code as well. All these improvements, apart from making logic more secure, decrease the gzipped size by 55 bytes. Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="621606293" data-permission-text="Title is private" data-url="https://github.com/angular/angular.js/issues/17028" data-hovercard-type="pull_request" data-hovercard-url="/angular/angular.js/pull/17028/hovercard" href="https://github.com/angular/angular.js/pull/17028">angular/angular.js#17028</a></pre> </div> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzOTY0MjIyMw=="> <div class="TimelineItem js-comment-container" data-gid="MDEyOklzc3VlQ29tbWVudDYzOTY0MjIyMw==" data-url="/jquery/jquery/comments/MDEyOklzc3VlQ29tbWVudDYzOTY0MjIyMw==/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-639642223"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="e49f39ff91f9121e41457e83535f649edb3f638558f664ef311956cd75c6dc59"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-639642223-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-639642223" id="issuecomment-639642223-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2020-06-05T17:14:43Z" class="no-wrap">Jun 5, 2020</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <blockquote> <blockquote> <p dir="auto">We already had to be careful here due to CSP issues which we test for:<br> <a href="https://github.com/jquery/jquery/blob/3.5.1/test/unit/support.js?rgh-link-date=2020-06-03T15%3A23%3A09Z#L40-L55">/test/unit/support.js@<code class="notranslate">3.5.1</code>#L40-L55</a><br> but it doesn't block <code class="notranslate">innerHTML</code> as a whole which Trusted Types enforcement would do.<br> I feel this is a more generic issue with CSP, though: what we need is a way to run support tests in a secure way that's not blocked by CSP. The environment where we run them could be isolated from the real webpage in which case there would be no security risk even if we used inline code, raw HTML strings, etc. Is it likely we'll get something like that?</p> </blockquote> <p dir="auto">I'm not sure I understand fully the use case here. Is this about production code doing feature testing that clashes with some CSP restrictions, or being able to configure the test environment easily? Can you reduce it to the smallest code snippet to distill the issue? In any case, browser changes take years to deploy, so it's not great either way :/</p> </blockquote> <p dir="auto">One example is the test case I provided before: <a href="https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17">https://github.com/jquery/jquery/blob/3.5.1/src/core/support.js#L13-L17</a>. It's a test for a Safari 8 issue and it requires <code class="notranslate">innerHTML</code> usage to detect a bug as it's a bug in HTML serialization logic in Safari. The function should return <code class="notranslate">true</code> but it returns <code class="notranslate">false</code> in Safari 8.</p> <p dir="auto">Things like that would be impossible on pages that enforce trusted types via CSP right now. I feel that browsers need an API that would allow to bypass CSP for test cases like that in a secure way (i.e. no access to cookies/other types of storage, to the current DOM, etc.).</p> <p dir="auto">...unless this works:</p> <blockquote> <p dir="auto">I want to hear more about that. I'm not sure I'm answering the right question here, but there is a way to "break-out" of CSP restrictions, including Trusted Types. You either iframe a separate document that was loaded from a server (CSPs don't inherit), or iframe a <code class="notranslate">Blob:</code> URL (<a href="https://github.com/whatwg/html/issues/2593" data-hovercard-type="issue" data-hovercard-url="/whatwg/html/issues/2593/hovercard">CSP bug</a>). That gives you a fresh environment.</p> </blockquote> <p dir="auto">Since this is a library we can't really load anything else from the server other than what the user already loads but if an iframe with a blob URL works, that's worth checking for a potential future use.</p> <blockquote> <blockquote> <p dir="auto">This API only accepts plain objects, though. We could perhaps make that explicit & treat non-plain objects in a different manner.</p> </blockquote> <p dir="auto">The problem I'm seeing is I don't know how to <em>distinguish</em> POJO (or even typed objects) from Trusted Type objects without literally having <code class="notranslate">TrustedHTML</code> somewhere in the codebase. Calling a constructor for TT throws, so that's some indication, but perhaps calling a constructor for each non-string, non-element is too aggressive.</p> </blockquote> <p dir="auto">jQuery has a <code class="notranslate">$.isPlainObject</code> API for such purposes:<br> </p><div class="Box Box--condensed my-2"> <div class="Box-header f6"> <p class="mb-0 text-bold"> <a href="https://github.com/jquery/jquery/blob/40c3abd0ab049449acab5f2e12c34b9cc3199482/src/core.js#L202-L221">jquery/src/core.js</a> </p> <p class="mb-0 color-fg-muted"> Lines 202 to 221 in <a data-pjax="true" class="commit-tease-sha Link--inTextBlock" href="/jquery/jquery/commit/40c3abd0ab049449acab5f2e12c34b9cc3199482">40c3abd</a> </p> </div> <div itemprop="text" class="Box-body p-0 blob-wrapper blob-wrapper-embedded data"> <table class="highlight tab-size mb-0 js-file-line-container" data-tab-size="8" data-paste-markdown-skip=""> <tbody><tr class="border-0"> <td id="L202" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="202"></td> <td id="LC202" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-en">isPlainObject</span>: <span class="pl-k">function</span><span class="pl-kos">(</span> <span class="pl-s1">obj</span> <span class="pl-kos">)</span> <span class="pl-kos">{</span> </td> </tr> <tr class="border-0"> <td id="L203" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="203"></td> <td id="LC203" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">var</span> <span class="pl-s1">proto</span><span class="pl-kos">,</span> <span class="pl-v">Ctor</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L204" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="204"></td> <td id="LC204" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> </td> </tr> <tr class="border-0"> <td id="L205" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="205"></td> <td id="LC205" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// Detect obvious negatives</span> </td> </tr> <tr class="border-0"> <td id="L206" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="206"></td> <td id="LC206" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// Use toString instead of jQuery.type to catch host objects</span> </td> </tr> <tr class="border-0"> <td id="L207" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="207"></td> <td id="LC207" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">if</span> <span class="pl-kos">(</span> <span class="pl-c1">!</span><span class="pl-s1">obj</span> <span class="pl-c1">||</span> <span class="pl-s1">toString</span><span class="pl-kos">.</span><span class="pl-en">call</span><span class="pl-kos">(</span> <span class="pl-s1">obj</span> <span class="pl-kos">)</span> <span class="pl-c1">!==</span> <span class="pl-s">"[object Object]"</span> <span class="pl-kos">)</span> <span class="pl-kos">{</span> </td> </tr> <tr class="border-0"> <td id="L208" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="208"></td> <td id="LC208" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">return</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L209" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="209"></td> <td id="LC209" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span> </td> </tr> <tr class="border-0"> <td id="L210" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="210"></td> <td id="LC210" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> </td> </tr> <tr class="border-0"> <td id="L211" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="211"></td> <td id="LC211" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-s1">proto</span> <span class="pl-c1">=</span> <span class="pl-en">getProto</span><span class="pl-kos">(</span> <span class="pl-s1">obj</span> <span class="pl-kos">)</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L212" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="212"></td> <td id="LC212" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> </td> </tr> <tr class="border-0"> <td id="L213" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="213"></td> <td id="LC213" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// Objects with no prototype (e.g., `Object.create( null )`) are plain</span> </td> </tr> <tr class="border-0"> <td id="L214" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="214"></td> <td id="LC214" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">if</span> <span class="pl-kos">(</span> <span class="pl-c1">!</span><span class="pl-s1">proto</span> <span class="pl-kos">)</span> <span class="pl-kos">{</span> </td> </tr> <tr class="border-0"> <td id="L215" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="215"></td> <td id="LC215" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">return</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L216" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="216"></td> <td id="LC216" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span> </td> </tr> <tr class="border-0"> <td id="L217" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="217"></td> <td id="LC217" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> </td> </tr> <tr class="border-0"> <td id="L218" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="218"></td> <td id="LC218" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// Objects with prototype are plain iff they were constructed by a global Object function</span> </td> </tr> <tr class="border-0"> <td id="L219" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="219"></td> <td id="LC219" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-v">Ctor</span> <span class="pl-c1">=</span> <span class="pl-s1">hasOwn</span><span class="pl-kos">.</span><span class="pl-en">call</span><span class="pl-kos">(</span> <span class="pl-s1">proto</span><span class="pl-kos">,</span> <span class="pl-s">"constructor"</span> <span class="pl-kos">)</span> <span class="pl-c1">&&</span> <span class="pl-s1">proto</span><span class="pl-kos">.</span><span class="pl-c1">constructor</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L220" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="220"></td> <td id="LC220" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">return</span> <span class="pl-k">typeof</span> <span class="pl-v">Ctor</span> <span class="pl-c1">===</span> <span class="pl-s">"function"</span> <span class="pl-c1">&&</span> <span class="pl-s1">fnToString</span><span class="pl-kos">.</span><span class="pl-en">call</span><span class="pl-kos">(</span> <span class="pl-v">Ctor</span> <span class="pl-kos">)</span> <span class="pl-c1">===</span> <span class="pl-v">ObjectFunctionString</span><span class="pl-kos">;</span> </td> </tr> <tr class="border-0"> <td id="L221" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="221"></td> <td id="LC221" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span><span class="pl-kos">,</span> </td> </tr> </tbody></table> </div> </div> <br> It's true we have to be mindful about performance but this API is already used in another place in the <code class="notranslate">jQuery.fn.init</code> code so it might be doable.<p></p> <blockquote> <p dir="auto">One of the ideas of making the lib TT agnostic would be e.g. allowing the users to specify which types they want jQuery to passthrough:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="$.addPassThroughHtmlType(TrustedHTML)"><pre class="notranslate"><code class="notranslate">$.addPassThroughHtmlType(TrustedHTML) </code></pre></div> <p dir="auto">and then jQuery would just make a <code class="notranslate">for</code> loop with <code class="notranslate">instanceof</code> checks to determine if <code class="notranslate">jQuery(object)</code> branch or <code class="notranslate">jQuery(passthroughHtml)</code> should be used.</p> </blockquote> <p dir="auto">I think at the beginning I'd try to do it without explicit hatches like that to increase probability of at least some jQuery plugins working with trusted types out of the box but I'll keep this in mind if that doesn't work.</p> <blockquote> <blockquote> <p dir="auto">Maybe it's not an issue since trusted HTML stringifies to the underlying HTML, though, we'd just need to cast it to string before running the checks?</p> </blockquote> <p dir="auto">If you're sure an object with a <code class="notranslate">toString</code> function was never used as a <code class="notranslate">jQuery(object)</code> case, that would work too. For POJO, it's simple, but there might be some backwards compatibility issue if typed objects (e.g. with a toString function) are actually used.</p> </blockquote> <p dir="auto">This would be an edge case so I think it's fine for a major update at least.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="7YkCPZ5lU7_ATyOHeTYqyiTOkrzI-5Dh-6PxI3_aP07pzamT3jUBq0OakLnWYyFlnJe7DhNxLVxnCn73oX8NQA" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="MDEyOklzc3VlQ29tbWVudDYzOTY0MjIyMw=="> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-639642223-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/639642223" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="NVuo80PW/CHARscl3P10sLnVoeZx6tbehpFsoWKg2HNvRuP2m9IToqQoBAVwGfTho4WHDZcumA6LYGjMaN5F7Q==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/639642223/edit_form?textarea_id=issuecomment-639642223-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="MDEyOkxhYmVsZWRFdmVudDM0MTIzNDM3NDQ="> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-3412343744"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added <a id="label-b16cef" href="/jquery/jquery/labels/Manipulation" data-name="Manipulation" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Manipulation </a> <a id="label-84807d" href="/jquery/jquery/labels/Discuss%20in%20Meeting" data-name="Discuss in Meeting" style="--label-r:251;--label-g:202;--label-b:4;--label-h:48;--label-s:96;--label-l:50;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Discuss in Meeting </a> <tool-tip id="tooltip-52908ed2-c800-476b-9b3c-ea0ef637ca2d" for="label-84807d" popover="manual" data-direction="s" data-type="description" data-view-component="true" class="sr-only position-absolute">Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting.</tool-tip> labels <a href="#event-3412343744" class="Link--secondary"><relative-time datetime="2020-06-05T17:15:23Z" class="no-wrap">Jun 5, 2020</relative-time></a> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-634829390" > <relative-time datetime="2020-06-08T18:15:08Z" class="no-wrap">Jun 8, 2020</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-634829390" > <a href="/jquery/jquery/issues/4731" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4731/hovercard"> [Duplicate] Have Trusted Types API built directly into the jQuery Core Files <span class="color-fg-muted text-normal" >#4731</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Closed" data-view-component="true" class="State State--merged State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-closed flex-items-center mr-1"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> Closed </span> </div> </div> </div> </div> </div> <div id="js-progressive-timeline-item-container"> </option></form><form class="ajax-pagination-form js-ajax-pagination pagination-loader-container mt-4 mb-4 ml-0 text-center" data-turbo="false" action="/jquery/jquery/issues/4409/partials/load_more?after_cursor=Y3Vyc29yOnYyOpPPAAABcpUkq-ACqjEwMzcwNjMwNDU%3D&before_cursor=Y3Vyc29yOnYyOpPPAAABe8xRBTgCqjExMzQ1NDczNDc%3D" accept-charset="UTF-8" method="get"> <div class="discussion-item-header pt-0"> <div class="Box d-inline-flex flex-column"> <button type="submit" class="color-fg-muted ajax-pagination-btn no-underline pb-0 pt-2 px-4 mt-0 mb-1 color-bg-default border-0"> 6 hidden items </button> <button type="submit" class="ajax-pagination-btn no-underline pb-1 pt-0 px-4 mt-0 mb-1 color-bg-default border-0" data-disable-with="Loading…"> Load more… </button> </div> </div> </div> </form> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="CRE_kwDOAAKNBs5Dn9GT"> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-pullrequest-992617848" > <relative-time datetime="2021-09-09T20:47:47Z" class="no-wrap">Sep 9, 2021</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-pullrequest-992617848" > <a href="/jquery/jquery/pull/4927" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard"> Core:Manipulation: Add basic TrustedHTML support <span class="color-fg-muted text-normal" >#4927</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Merged" data-view-component="true" class="State State--merged State--small"> <svg height="14" class="octicon octicon-git-merge" viewBox="0 0 16 16" version="1.1" width="14" aria-hidden="true"><path d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z"></path></svg> Merged </span> </div> </div> <tracked-issues-progress data-total="4" data-completed="0" data-type="other"> <div class="d-inline-flex flex-row flex-items-center text-small"> <span data-target="tracked-issues-progress.checklist" style="display: inline"> <svg style="display: inline" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-checklist"> <path d="M2.5 1.75v11.5c0 .138.112.25.25.25h3.17a.75.75 0 0 1 0 1.5H2.75A1.75 1.75 0 0 1 1 13.25V1.75C1 .784 1.784 0 2.75 0h8.5C12.216 0 13 .784 13 1.75v7.736a.75.75 0 0 1-1.5 0V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13.274 9.537v-.001l-4.557 4.45a.75.75 0 0 1-1.055-.008l-1.943-1.95a.75.75 0 0 1 1.062-1.058l1.419 1.425 4.026-3.932a.75.75 0 1 1 1.048 1.074ZM4.75 4h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1 0-1.5ZM4 7.75A.75.75 0 0 1 4.75 7h2a.75.75 0 0 1 0 1.5h-2A.75.75 0 0 1 4 7.75Z"></path> </svg> </span> <span style="transform:rotate(-90deg); width:12px; height:12px; display: none"> <svg width="12" height="12" data-target="tracked-issues-progress.progress" data-circumference="31" > <circle stroke="var(--borderColor-accent-muted, var(--color-accent-subtle))" stroke-width="2" fill="transparent" cx="50%" cy="50%" r="5" /> <circle data-target="tracked-issues-progress.stroke" style="transition: stroke-dashoffset 0.35s; transform: rotate(5.806451612903226deg); transform-origin: center" stroke="var(--fgColor-accent, var(--color-accent-fg))" stroke-width="2" stroke-dasharray="31" stroke-dashoffset="32.0" stroke-linecap="round" fill="transparent" cx="50%" cy="50%" r="5" /> </svg> </span> <span class="text-normal no-wrap mr-1 ml-1" data-target="tracked-issues-progress.label">4 tasks</span> </div> </tracked-issues-progress> </div> </div> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-5280941722"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added the <a id="label-669284" href="/jquery/jquery/labels/Has%20Pull%20Request" data-name="Has Pull Request" style="--label-r:191;--label-g:229;--label-b:191;--label-h:120;--label-s:42;--label-l:82;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Has Pull Request </a> label <a href="#event-5280941722" class="Link--secondary"><relative-time datetime="2021-09-09T20:48:11Z" class="no-wrap">Sep 9, 2021</relative-time></a> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs42n41d"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs42n41d" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs42n41d/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-916426077"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="190579735efaded74b3e5f4b6482fa92dcd6e5a8ae4037137b5df5855ac5c6f7"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-916426077-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-916426077" id="issuecomment-916426077-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-09T20:49:39Z" class="no-wrap">Sep 9, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I submitted a pull request adding support for TrustedHTML, including unit tests, please take a look: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="992617848" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4927" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard" href="https://github.com/jquery/jquery/pull/4927">#4927</a>.</p> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> could you give an update of where we are with regards to browser support? Are maintainers of other browser engines in favor, neutral or opposed to the standard? Such information matters a lot for a project like jQuery.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="xqpLey0FgaEWOvHOvCoJ8uK3Zn7joZR5oMPNPiPL1ebC7uDVbVXTtZXvQvATfwJdWu5PzDgrKcQ8akLq_W7n6A" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs42n41d"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-916426077-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/916426077" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="s5tV8weJTn2zs9eD7VjZbdaZv9dVxj8niRRVcTJ1NV6rJfg3h18KtcZndRis6sdqvyXgqKopIb40FCuWRV/1LQ==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/916426077/edit_form?textarea_id=issuecomment-916426077-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs42pf-o"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs42pf-o" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs42pf-o/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-916848552"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="29b3c1d78e26bc99a28012861437975526e7a5ad280627e14267bc19de894591"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-916848552-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-916848552" id="issuecomment-916848552-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-10T11:59:01Z" class="no-wrap">Sep 10, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Thanks a lot, <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/mgol">@mgol</a>, I'll take a look at the PR (I already like the ones merged!). The code size delta is impressively small!</p> <p dir="auto">There are sadly no updates w.r.t. to other browsers support. Trusted Types are currently shipped in <a href="https://caniuse.com/trusted-types" rel="nofollow">Edge, Chrome, Opera, Blink etc.</a>) + there is a polyfill. We see the usage of the API <a href="https://mitigation.supply/#trusted-types" rel="nofollow">slowly growing</a>, and have released a report of the current <a href="https://docs.google.com/document/d/1m91JZWKAGOR3jQoicMVE9Ydcq79gM2BetcRIBemrex8/edit#heading=h.jk0th3j9vl2r" rel="nofollow">TT coverage</a>. The recent large integrations we know of are Angular and webpack.</p> <p dir="auto">For library integrations, we are trying to make sure that the code, either:</p> <ul dir="auto"> <li>stops using sinks (infeasible for jQuery - the whole point is that it does), or</li> <li>does not downgrade passed TT to strings (jQuery case), or</li> <li>if TT APIs are used, it's done with feature testing (e.g. <code class="notranslate">window.trustedTypes?.createPolicy()</code> in modern JS lingo)</li> </ul> <p dir="auto">That way many integrations bring value <a href="https://github.com/w3c/webappsec-trusted-types/wiki/FAQ#do-trusted-types-address-dom-xss-only-in-browsers-supporting-trusted-types">even without the TT enforcement</a> due to untangling their data flows. My biased take is that this is worth +38 bytes, but these are obviously not my bytes to govern :)</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="CBBLWpeoyL2Vu62fyMOykCpisOLrrp9BwDq-ppkJgfUMVOD01_iaqRZuHqFnlrk_kjuZUDAkIvxckzFyR6yz-w" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs42pf-o"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-916848552-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/916848552" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="miG25ocLHnZIodxSwXjdqZCU/vhkpyAeZge2jvwo1EDVTQ8Te+4/2PxjvdZoboP5XW7t0IO+1u3rRoxxBzI3Dw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/916848552/edit_form?textarea_id=issuecomment-916848552-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs42phSu"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs42phSu" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs42phSu/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-916853934"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="4013c5cd16691e04a362418b5242c6a4bd5ec4b0298c74de1219b05ec8f84c5b"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-916853934-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-916853934" id="issuecomment-916853934-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-10T12:08:12Z" class="no-wrap">Sep 10, 2021</relative-time></a> <span class="js-comment-edit-history"> <span class="d-inline-block color-fg-muted">•</span> <details class="details-overlay details-reset d-inline-block dropdown hx_dropdown-fullscreen"> <summary class="btn-link no-underline color-fg-muted js-notice"> <div class="position-relative"> <span> edited </span> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-triangle-down v-align-middle"> <path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path> </svg> </div> </summary> <details-menu class="dropdown-menu dropdown-menu-s width-auto py-0 js-comment-edit-history-menu" style="max-width: 352px; z-index: 99;" src="/user_content_edits/show_edit_history_log/IC_kwDOAAKNBs42phSu" preload > <include-fragment class="my-3" style="min-width: 100px;" aria-label="Loading..."> <span data-view-component="true"> <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" aria-hidden="true" data-view-component="true" class="mx-auto d-block anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg> <span class="sr-only">Loading</span> </span> </include-fragment> </details-menu> </details> </span> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> Thanks for the updates. Up to 4.5% of page loads with TT enforcement in Chrome looks like a lot! Do you know what pages contribute the most to such a percentage? I imagine the vast majority of web developers doesn't even know about trusted types so I'd expect such traffic to come mostly from a few popular websites.</p> <p dir="auto">EDIT: I should have looked at the report before asking, I see there's more detailed data there. :)</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="k2Nn8lQz9NyqYJsjqL1QZtIEqtRXA5Rw_SktylA6xl6XJ8xcFGOmyCm1KB0H6FvJal2DZoyJKc1hgKIejp_0UA" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs42phSu"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-388b43" value="THUMBS_UP react" data-button-index-position="0" data-reaction-label="+1" data-reaction-content="+1" aria-pressed="false" aria-label="react with thumbs up" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji">👍</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-edbdf3b2-380d-4850-8249-76a725bee83f" for="reactions--reaction_button_component-388b43" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">koto reacted with thumbs up emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="koto reacted with thumbs up emoji"> <g-emoji alias="+1" fallback-src="https://github.githubassets.com/assets/1f44d-41cb66fe1e22.png" class="social-button-emoji mr-2">👍</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-916853934-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/916853934" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="If2//1gVcS1MFo4P0Lb564/u1QCZygLIwTaqqsJlGR80LLVHp3ZMCXebvnpe3DpyNbW+9JPOuUdDyDvmKshtYg==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/916853934/edit_form?textarea_id=issuecomment-916853934-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="REFE_lADOAAKNBs4awqgezwAAAAE7j_G8"> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-236eb1f"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-236eb1f" class="Link--secondary"> <relative-time datetime="2021-09-13T16:47:17Z" class="no-wrap">Sep 13, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDoyMzZlYjFmNzMyYzlkODk2YzA0YTFmY2Q0N2IzY2ZlMDNjOTA3MzMwIiwidCI6MTczMjg0MDE3MX0=--c4cc15af9482444016beda14f8ef5dab8341ed854b6cd8c2bbdacfce62422630" data-url="/mgol/jquery/commit/236eb1f732c9d896c04a1fcd47b3cfe03c907330/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="WIP Core:Manipulation: Add basic TrustedHTML support Fixes gh-4409" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/236eb1f732c9d896c04a1fcd47b3cfe03c907330">WIP Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MToyMzZlYjFmNzMyYzlkODk2YzA0YTFmY2Q0N2IzY2ZlMDNjOTA3MzMw" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/236eb1f732c9d896c04a1fcd47b3cfe03c907330" class="Link--secondary">236eb1f</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap"><span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-efc1f95"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-efc1f95" class="Link--secondary"> <relative-time datetime="2021-09-13T17:07:53Z" class="no-wrap">Sep 13, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDplZmMxZjk1NGVmZDZiZDdkZWFkMzhjMzQxY2EyOGU1ZWQyZTE1YTYxIiwidCI6MTczMjg0MDE3MX0=--88b2970e951a1ac1a0879142ba9f6b2feb025c3da4d6bfebe7db0948bfa1d470" data-url="/mgol/jquery/commit/efc1f954efd6bd7dead38c341ca28e5ed2e15a61/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/efc1f954efd6bd7dead38c341ca28e5ed2e15a61">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTplZmMxZjk1NGVmZDZiZDdkZWFkMzhjMzQxY2EyOGU1ZWQyZTE1YTYx" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/efc1f954efd6bd7dead38c341ca28e5ed2e15a61" class="Link--secondary">efc1f95</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-57c62b4"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-57c62b4" class="Link--secondary"> <relative-time datetime="2021-09-14T21:30:34Z" class="no-wrap">Sep 14, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo1N2M2MmI0ZWM4Njk4ZmExOWE3Njc5NGJkMjdjZGEwZjRlNTA2OGNjIiwidCI6MTczMjg0MDE3MX0=--c78f114fb11c67715a2200d711eb6454d5e0f625182ae36f78e87cd75faa3e5b" data-url="/mgol/jquery/commit/57c62b4ec8698fa19a76794bd27cda0f4e5068cc/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/57c62b4ec8698fa19a76794bd27cda0f4e5068cc">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTo1N2M2MmI0ZWM4Njk4ZmExOWE3Njc5NGJkMjdjZGEwZjRlNTA2OGNj" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/57c62b4ec8698fa19a76794bd27cda0f4e5068cc" class="Link--secondary">57c62b4</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs421qjV"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs421qjV" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs421qjV/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/zwjohn"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/19634524?s=80&v=4" width="40" height="40" alt="@zwjohn" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-920037589"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="8258a7d7f83b3ac33a395a20403a8d96486a41476413981aec03eb8a3b1d6738"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-920037589-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/zwjohn">zwjohn</a> </strong> commented <a href="#issuecomment-920037589" id="issuecomment-920037589-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-15T13:51:09Z" class="no-wrap">Sep 15, 2021</relative-time></a> <span class="js-comment-edit-history"> <span class="d-inline-block color-fg-muted">•</span> <details class="details-overlay details-reset d-inline-block dropdown hx_dropdown-fullscreen"> <summary class="btn-link no-underline color-fg-muted js-notice"> <div class="position-relative"> <span> edited </span> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-triangle-down v-align-middle"> <path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path> </svg> </div> </summary> <details-menu class="dropdown-menu dropdown-menu-s width-auto py-0 js-comment-edit-history-menu" style="max-width: 352px; z-index: 99;" src="/user_content_edits/show_edit_history_log/IC_kwDOAAKNBs421qjV" preload > <include-fragment class="my-3" style="min-width: 100px;" aria-label="Loading..."> <span data-view-component="true"> <svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" aria-hidden="true" data-view-component="true" class="mx-auto d-block anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg> <span class="sr-only">Loading</span> </span> </include-fragment> </details-menu> </details> </span> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I have a Chrome extension that uses Jquery, I am now getting about 5 "This document requires 'TrustedHTML' assignment" errors in the Chrome console whenever the browser loads jquery, causing the extension to stop working (because Jquery failed to load due to the error mentioned above). I tried the latest version 3.6 and got the same error. Apparently, Jquery uses innerHTML somewhere in the code, so I had to window.trustedTypes to bypass the failure, it's more a hack.<br> Is there a better solution to solve this error for Jquery?</p> <p dir="auto">Thanks</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="rkc19OJkidQMgV5Q8ARbkc5KSGYTateYlG12SrU38MSqA55aojTbwI9U7W5fUVA-dhNh1MjgaiUIxPmea5LCyg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs421qjV"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-920037589-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/920037589" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="O+NyJn27p4XXTbAcEekFQIkv1L+3eVcRwhLAcO9ffsJF5s5CQGopzYreCRcsSInOzkwtcGy27Ip2fpvoJzOwPQ==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/920037589/edit_form?textarea_id=issuecomment-920037589-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs421sfo"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs421sfo" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs421sfo/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-920045544"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="c7d4b37a9ddbe764c0a4db92a5c0aed8194992a4b1e0d12d080d690ece087da3"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-920045544-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-920045544" id="issuecomment-920045544-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-15T14:00:23Z" class="no-wrap">Sep 15, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/zwjohn">@zwjohn</a> I don't know exactly your setup, but I believe some feature testing done by jQuery at load times interfere with Trusted Types restrictions your Chrome extension has (or the restriction the page has, where the extension is loading its content script).</p> <p dir="auto">I "fixed" this in the past by using the default policy (the code is old, so it might need some adjusting: <a href="https://github.com/koto/web/blob/trusted-types-angular/src/trusted-types/default.ts">https://github.com/koto/web/blob/trusted-types-angular/src/trusted-types/default.ts</a>). Note that it will not address any other DOM writes you might be doing through jQuery or its plugins.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="yOhRA5QpPBTYXQpnWAbDvyJlgHmd2K51IqwR_7NvKuvMrPqt1HluAFuIuVn3U8gQmjypy0ZSE8i-BZ4rbcoY5Q" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs421sfo"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-920045544-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/920045544" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="3rXjcGqAUQsHJ61yuxcsdVKmUvBh/BQCLZ4i0zw+PacqGjKmsX3r4J8oDZ55qU5/BFDoWhwihLsu5g3Kn9rbwQ==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/920045544/edit_form?textarea_id=issuecomment-920045544-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs421zcj"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs421zcj" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs421zcj/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/zwjohn"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/19634524?s=80&v=4" width="40" height="40" alt="@zwjohn" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-920074019"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="f7bd1ebea4b539fdfecb294e3740a1312d68ab04f445e360e7aea7ac3732b98a"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-920074019-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/zwjohn">zwjohn</a> </strong> commented <a href="#issuecomment-920074019" id="issuecomment-920074019-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-15T14:31:43Z" class="no-wrap">Sep 15, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> thanks for sharing your solution, I will take a look. I could use DOMPurify library to purify the strings, however, I think Jquery should handle this in the library or replace usage of innerHTML to avoid this error, otherwise, every developer using Jquery will run into this issue sooner or later.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="eZ6nl29MCipoXIV4DS9QhMHxmDiUOhC_ttW2dMpwIDd92gw5LxxYPuuJNkaielsreaixik-wrQIqfDmgFNUSOQ" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs421zcj"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-920074019-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/920074019" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="NN/Bfa4CTDc/xM6W28zUfthQkBdSja4ByJv/lNCP6yW8wUhLGV7WS3W0YYUbKACK8jfIgy0Nfa0ANXhCW6E3xg==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/920074019/edit_form?textarea_id=issuecomment-920074019-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="REFE_lADOAAKNBs4awqgezwAAAAE9Hu5e"> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-c43d1ee"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-c43d1ee" class="Link--secondary"> <relative-time datetime="2021-09-17T16:23:40Z" class="no-wrap">Sep 17, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDpjNDNkMWVlYzQ1NWRkMzEzMmIyZTM5Nzk4YmZjZDVkYzc3NTE3NjgzIiwidCI6MTczMjg0MDE3MX0=--1b2dd9497a2d0b114d6ef88e3fa726b6c4e2e56cb7a519595144ce09a9ca09d8" data-url="/mgol/jquery/commit/c43d1eec455dd3132b2e39798bfcd5dc77517683/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/c43d1eec455dd3132b2e39798bfcd5dc77517683">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="MDY6Q29tbWl0ODUxMjA5MTpjNDNkMWVlYzQ1NWRkMzEzMmIyZTM5Nzk4YmZjZDVkYzc3NTE3Njgz" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/c43d1eec455dd3132b2e39798bfcd5dc77517683" class="Link--secondary">c43d1ee</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-9af57b1"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-9af57b1" class="Link--secondary"> <relative-time datetime="2021-09-23T11:59:53Z" class="no-wrap">Sep 23, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo5YWY1N2IxNDUzOTM2ZjNiZGZjZTE0NjVjMWQ1NGIxN2ZhNzllMTk5IiwidCI6MTczMjg0MDE3MX0=--ae129c07de284baef4be1704614bd755fbf89c1360906209ead3ec9684232ede" data-url="/mgol/jquery/commit/9af57b1453936f3bdfce1465c1d54b17fa79e199/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/9af57b1453936f3bdfce1465c1d54b17fa79e199">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="C_kwDOAIHiW9oAKDlhZjU3YjE0NTM5MzZmM2JkZmNlMTQ2NWMxZDU0YjE3ZmE3OWUxOTk" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/9af57b1453936f3bdfce1465c1d54b17fa79e199" class="Link--secondary">9af57b1</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-566171b"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-566171b" class="Link--secondary"> <relative-time datetime="2021-09-29T21:21:47Z" class="no-wrap">Sep 29, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDo1NjYxNzFiMGQwMGE4ZGRkMjc2Mzk1NjgwOTVlMzk0MjRiOTFkMWQ5IiwidCI6MTczMjg0MDE3MX0=--c4a99df1e8894e5cdf4b5fe85a1807e584789ae1bf50b09dc86bccf9b7e2f99d" data-url="/mgol/jquery/commit/566171b0d00a8ddd27639568095e39424b91d1d9/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/566171b0d00a8ddd27639568095e39424b91d1d9">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="C_kwDOAIHiW9oAKDU2NjE3MWIwZDAwYThkZGQyNzYzOTU2ODA5NWUzOTQyNGI5MWQxZDk" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/566171b0d00a8ddd27639568095e39424b91d1d9" class="Link--secondary">566171b</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-e3165e6"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit to mgol/jquery that referenced this issue <a href="#ref-commit-e3165e6" class="Link--secondary"> <relative-time datetime="2021-09-29T22:27:59Z" class="no-wrap">Sep 29, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzo4NTEyMDkxOmNvbW1pdDplMzE2NWU2OTRlOGNmMTY0NWIyYmUwMWExZjFlZGVkNGZhMTE0YmEyIiwidCI6MTczMjg0MDE3MX0=--3087bbd04cdb6eded68daf09b8a35b414f1633c7cb39a082217b1b6a6da81839" data-url="/mgol/jquery/commit/e3165e694e8cf1645b2be01a1f1eded4fa114ba2/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/mgol/jquery/commit/e3165e694e8cf1645b2be01a1f1eded4fa114ba2">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="C_kwDOAIHiW9oAKGUzMTY1ZTY5NGU4Y2YxNjQ1YjJiZTAxYTFmMWVkZWQ0ZmExMTRiYTI" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/mgol/jquery/commit/e3165e694e8cf1645b2be01a1f1eded4fa114ba2" class="Link--secondary">e3165e6</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquerygh-4409</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">jquerygh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">jquerygh-4724</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-5387955941"> <div class="TimelineItem-badge color-fg-on-emphasis color-bg-done-emphasis"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-closed color-fg-inherit"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> closed this as <a class="Link--secondary Link--inTextBlock" href="/jquery/jquery/issues?q=is%3Aissue+is%3Aclosed+archived%3Afalse+reason%3Acompleted">completed</a> in <a href="/jquery/jquery/pull/4927" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard"> #4927 </a> <a href="#event-5387955941" class="Link--secondary"><relative-time datetime="2021-09-30T14:00:25Z" class="no-wrap">Sep 30, 2021</relative-time></a> </div> </div> <div class="TimelineItem-break mb-0 height-full"></div> <div class="TimelineItem js-targetable-element" data-team-hovercards-enabled id="event-5387959397"> <div class="TimelineItem-badge "> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag color-fg-inherit"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> </div> <div class="TimelineItem-body"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added the <a id="label-742529" href="/jquery/jquery/labels/Core" data-name="Core" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel d-inline-block v-align-middle"> Core </a> label <a href="#event-5387959397" class="Link--secondary"><relative-time datetime="2021-09-30T14:00:53Z" class="no-wrap">Sep 30, 2021</relative-time></a> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-de5398a"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> added a commit that referenced this issue <a href="#ref-commit-de5398a" class="Link--secondary"> <relative-time datetime="2021-09-30T14:00:53Z" class="no-wrap">Sep 30, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzoxNjcxNzQ6Y29tbWl0OmRlNTM5OGE2YWQwODhkYzAwNmI0NmM2YTg3MGEyYTA1M2Y0Y2Q2NjMiLCJ0IjoxNzMyODQwMTcxfQ==--65f16f48b62552fc830f113b95c3d93ab56daa50eb84d6a97259739d399f8a54" data-url="/jquery/jquery/commit/de5398a6ad088dc006b46c6a870a2a053f4cd663/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Core:Manipulation: Add basic TrustedHTML support This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See https://web.dev/trusted-types/ for more information about TrustedHTML. Fixes gh-4409 Closes gh-4927 Ref gh-4642 Ref gh-4724" data-pjax="true" class="Link--secondary markdown-title" href="/jquery/jquery/commit/de5398a6ad088dc006b46c6a870a2a053f4cd663">Core:Manipulation: Add basic TrustedHTML support</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="C_kwDOAAKNBtoAKGRlNTM5OGE2YWQwODhkYzAwNmI0NmM2YTg3MGEyYTA1M2Y0Y2Q2NjM" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <span class="Skeleton d-inline-block mr-1" style="width:75px; height:14px; margin-bottom:-4px;"></span> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/jquery/jquery/commit/de5398a6ad088dc006b46c6a870a2a053f4cd663" class="Link--secondary">de5398a</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the `require-trusted-types-for` Content Security Policy directive. This commit builds on previous work needed for trusted types support, including <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">gh-4642</a> and <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">gh-4724</a>. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like `.html()` or `.append()`, for passing directly to the `jQuery` factory the string must start with `<` and end with `>`; no trailing or leading whitespaces are allowed. This is necessary as we cannot parse out a part of the input for further construction; that would violate the CSP rule - and that's what's done to HTML input not matching these constraints. No trusted types API is used explicitly in source; the majority of the work is ensuring we don't pass the input converted to string to APIs that would eventually assign it to `innerHTML`. This extra cautiousness is caused by the API being Blink-only, at least for now. The ban on passing strings to `innerHTML` means support tests relying on such assignments are impossible. We don't currently have such tests on the `main` branch but we used to have many of them in the 3.x & older lines. If there's a need to re-add such a test, we'll need an escape hatch to skip them for apps needing CSP-enforced TrustedHTML. See <a href="https://web.dev/trusted-types/" rel="nofollow">https://web.dev/trusted-types/</a> for more information about TrustedHTML. <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes issue #4409.">Fixes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">gh-4409</a> <span class="issue-keyword tooltipped tooltipped-se" aria-label="This commit closes pull request #4927.">Closes</span> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="992617848" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4927" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard" href="https://github.com/jquery/jquery/pull/4927">gh-4927</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="581420385" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4642" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4642/hovercard" href="https://github.com/jquery/jquery/pull/4642">gh-4642</a> Ref <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="628052090" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4724" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4724/hovercard" href="https://github.com/jquery/jquery/pull/4724">gh-4724</a></pre> </div> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs43g1Pv"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs43g1Pv" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs43g1Pv/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-931353583"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="e383021eab78a0060d0e211f84131e9ab777df9c6c55769a310b5c6e9135ae8d"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-931353583-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-931353583" id="issuecomment-931353583-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-30T14:04:20Z" class="no-wrap">Sep 30, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">This has landed in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="992617848" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4927" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard" href="https://github.com/jquery/jquery/pull/4927">#4927</a> and will be included in jQuery 4.0.0. Thanks for all the discussions!</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container has-reactions d-flex"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="TZQIVPH2_n78FQ0mXkI-TfXM3t3xkcIdM0p0P60LwnlJ0KP6saasan_AvhjxFzXiTZX3byobf6Cv4_vrc67wdw" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs43g1Pv"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <button name="input[content]" id="reactions--reaction_button_component-e4580a" value="HOORAY react" data-button-index-position="3" data-reaction-label="Hooray" data-reaction-content="tada" aria-pressed="false" aria-label="react with hooray" type="submit" disabled="disabled" data-view-component="true" class="social-reaction-summary-item js-reaction-group-button btn-link d-flex no-underline color-fg-muted flex-items-baseline mr-2"> <g-emoji alias="tada" fallback-src="https://github.githubassets.com/assets/1f389-36899a2cb781.png" class="social-button-emoji">🎉</g-emoji> <span class="js-discussion-reaction-group-count">1</span> </button> <tool-tip id="tooltip-3eb33e5c-d9c6-4584-81bd-beba9a9dadab" for="reactions--reaction_button_component-e4580a" popover="manual" data-direction="n" data-type="description" data-view-component="true" class="sr-only position-absolute">koto reacted with hooray emoji</tool-tip> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> <li class="dropdown-item" aria-label="koto reacted with hooray emoji"> <g-emoji alias="tada" fallback-src="https://github.githubassets.com/assets/1f389-36899a2cb781.png" class="social-button-emoji mr-2">🎉</g-emoji> <span>1 reaction</span> </li> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-931353583-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/931353583" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="s/AGGhmVe/+ZIOlezTcrNlXkE92LKnPlm/rr/yitPasTKlNKkFGjrZ8Voykyql2BLHTrlPDsYrxuuFaz6ZgE6A==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/931353583/edit_form?textarea_id=issuecomment-931353583-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs43h7FB"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs43h7FB" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs43h7FB/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-931639617"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="a3bf3a6b2068b82961b42d6ed2c5f33cc4ec1490bf9b028b78baac919ef4bdd5"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-931639617-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-931639617" id="issuecomment-931639617-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-09-30T20:26:12Z" class="no-wrap">Sep 30, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">Thank you Michał, that's great news!</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="B1CnVlJClvDDZC78jR9sh2ZXViag4dURjdj2b5kC4UwDFAz4EhLE5ECxncIiSmco3g5_lHtraKwRcXm7R6fTQg" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs43h7FB"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-931639617-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/931639617" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="sFmf2bKa4V9bJrdVkPObHfYuJLG8YkojPM/7HXvg/fIufYhxtWT64t67Y5h5lsic/gX9xjfQF+ICPfGqqy6bjA==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/931639617/edit_form?textarea_id=issuecomment-931639617-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs435s3k"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs435s3k" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs435s3k/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=80&v=4" width="40" height="40" alt="@koto" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-937872868"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="e3151df38369adafd36d8f3abc24dc6f564db94948563699bac2a7cc664df5a8"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-937872868-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto">koto</a> </strong> commented <a href="#issuecomment-937872868" id="issuecomment-937872868-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-10-07T14:55:10Z" class="no-wrap">Oct 7, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto">I noticed one violation still in <code class="notranslate">jQuery.attr</code>, where the value of the attribute <a href="https://github.com/jquery/jquery/blob/de5398a6ad088dc006b46c6a870a2a053f4cd663/src/attributes/attr.js#L53">is stringified</a> before calling <code class="notranslate">setAttribute</code>:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="const policy = trustedTypes.createPolicy('a', {createScriptURL: s=>s}) jQuery(aScript, policy.createScriptURL('foo')); Uncaught TypeError: Failed to execute 'setAttribute' on 'Element': This document requires 'TrustedScriptURL' assignment. at attr (jquery.js:6997) at access (jquery.js:3467) at jQuery.fn.init.attr (jquery.js:6955) at <anonymous>:1:6"><pre class="notranslate"><code class="notranslate">const policy = trustedTypes.createPolicy('a', {createScriptURL: s=>s}) jQuery(aScript, policy.createScriptURL('foo')); Uncaught TypeError: Failed to execute 'setAttribute' on 'Element': This document requires 'TrustedScriptURL' assignment. at attr (jquery.js:6997) at access (jquery.js:3467) at jQuery.fn.init.attr (jquery.js:6955) at <anonymous>:1:6 </code></pre></div> <p dir="auto">There is a workaround via <a href="https://blog.rodneyrehm.de/archives/11-jQuery-Hooks.html" rel="nofollow"><code class="notranslate">.attr</code> hooks</a>, but it might be worth addressing nonetheless.</p> <p dir="auto">It seems like this was introduced in <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/jquery/jquery/commit/ff7576755864193b4c1a00464bf0919bbbe96e8b/hovercard" href="https://github.com/jquery/jquery/commit/ff7576755864193b4c1a00464bf0919bbbe96e8b"><tt>ff75767</tt></a>, I suspect to workaround an <a href="https://github.com/facebook/react/pull/19588/commits/064319ed217d66b9dd7df70395a9c69292010739">IE <= 9 bug</a>, which incorrectly stringified objects passed to <code class="notranslate">setAttribute</code>.</p> <p dir="auto">I'm not sure what the most elegant solution would be here, I guess it depends on whether jQuery 4 aims to support IE9. If not, it's safe not to stringify values (browser API would). If yes, then there's only a less-than-ideal option of testing for the bug? IIRC this would be a good test:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="with (document.createElement('div')) { setAttribute('title', {toString:()=>''}); getAttribute('title') === '' }"><pre class="notranslate"><code class="notranslate">with (document.createElement('div')) { setAttribute('title', {toString:()=>''}); getAttribute('title') === '' } </code></pre></div> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="qtAsiDq5ZupciwsMZo3kysgKziwXN91rAzBObB9GMX6ulIcmeuk0_t9euDLJ2O9lcFPnnsy9YNafmcG4weMDcA" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs435s3k"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-937872868-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/937872868" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="PPYrIUzja0nv73oJgX3S0Zu0hhtrPx7t6u2Csaony7h0uelbTy2IWqOVJKjAjuCJADyR8MR+oDW05F8rNi083Q==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/937872868/edit_form?textarea_id=issuecomment-937872868-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs435t40"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs435t40" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs435t40/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-937877044"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="87d578c30189772b7edf2655ccdbe6d1a3ec8cd6975c9ebaf23e5c53aa1678a2"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-937877044-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-937877044" id="issuecomment-937877044-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-10-07T14:59:40Z" class="no-wrap">Oct 7, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> Thanks for the info. jQuery 4.x will only support IE 11 so if this was just to please IE <=9 we should be good to remove the manual stringification.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="JceBa9s_FtF_FsfN1bJ7MHfZv5TEQvZsySPBVyjfAPshgyrFm29ExfzDdPN653Cfz4CWJh_IS9FVik6D9noy9Q" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs435t40"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-937877044-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/937877044" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="m6xo9Nxg915upclmW1GQrJMzgFX6DTimZUpPCaNl2281mH0xOshCftt6chgcXwHtE/tgg2XRVRrZ6FDp1Kr56g==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/937877044/edit_form?textarea_id=issuecomment-937877044-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="CRE_kwDOAAKNBs5D_m5r"> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-1020147295" > <relative-time datetime="2021-10-07T15:00:18Z" class="no-wrap">Oct 7, 2021</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-1020147295" > <a href="/jquery/jquery/issues/4948" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4948/hovercard"> Attributes: Don't stringify values as it breaks Trusted Types <span class="color-fg-muted text-normal" >#4948</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Closed" data-view-component="true" class="State State--merged State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-closed flex-items-center mr-1"> <path d="M11.28 6.78a.75.75 0 0 0-1.06-1.06L7.25 8.69 5.78 7.22a.75.75 0 0 0-1.06 1.06l2 2a.75.75 0 0 0 1.06 0l3.5-3.5Z"></path><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0Zm-1.5 0a6.5 6.5 0 1 0-13 0 6.5 6.5 0 0 0 13 0Z"></path> </svg> Closed </span> </div> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="IC_kwDOAAKNBs435uG1"> <div class="TimelineItem js-comment-container" data-gid="IC_kwDOAAKNBs435uG1" data-url="/jquery/jquery/comments/IC_kwDOAAKNBs435uG1/partials/timeline_issue_comment" > <div class="avatar-parent-child TimelineItem-avatar d-none d-md-block"> <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar rounded-2 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=80&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="40" height="40" alt="@mgol" /></a> </div> <div class=" timeline-comment-group js-minimizable-comment-group js-targetable-element TimelineItem-body my-0 " id="issuecomment-937877941"> <div class="ml-n3 timeline-comment unminimized-comment comment previewable-edit js-task-list-container js-comment timeline-comment--caret" data-body-version="3dd9093ddd69bf9ab27d97b027d1cd80d82884c912465b96f248fd4fd10ee075"> <div class="timeline-comment-header clearfix d-flex" data-morpheus-enabled="false"> <div class="timeline-comment-actions flex-shrink-0 d-flex flex-items-center"> <details class="details-overlay details-reset position-relative d-inline-block"> <summary data-view-component="true" class="timeline-comment-action Link--secondary Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label"><svg aria-label="Show options" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg></span> </span> </summary> <details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > <span data-view-component="true"> <clipboard-copy aria-label="Copy link" for="issuecomment-937877941-permalink" role="menuitem" data-view-component="true" class="dropdown-item btn-link"> Copy link </clipboard-copy> <div aria-live="polite" aria-atomic="true" class="sr-only" data-clipboard-copy-feedback></div> </span> </details-menu> </details> </div> <div class="d-none d-sm-flex"> <span aria-label="This user is a member of the jquery organization." data-view-component="true" class="tooltipped tooltipped-n"> <span data-view-component="true" class="Label ml-1">Member</span> </span> </div> <h3 class="f5 text-normal" style="flex: 1 1 auto"> <div> <strong> <a class="author Link--primary text-bold css-overflow-wrap-anywhere " show_full_name="false" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> </strong> commented <a href="#issuecomment-937877941" id="issuecomment-937877941-permalink" class="Link--secondary js-timestamp"><relative-time datetime="2021-10-07T15:00:34Z" class="no-wrap">Oct 7, 2021</relative-time></a> </div> </h3> </div> <div class="edit-comment-hide"> <task-lists disabled sortable> <table class="d-block user-select-contain" data-paste-markdown-skip> <tbody class="d-block"> <tr class="d-block"> <td class="d-block comment-body markdown-body js-comment-body"> <p dir="auto"><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/koto">@koto</a> I created <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1020147295" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4948" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4948/hovercard" href="https://github.com/jquery/jquery/issues/4948">#4948</a> out of your last comment.</p> </td> </tr> </tbody> </table> </task-lists> <div class="d-flex"> <div class="pr-review-reactions"> <div data-view-component="true" class="comment-reactions js-reactions-container js-reaction-buttons-container social-reactions reactions-container d-none"> </option></form><form class="js-pick-reaction" data-turbo="false" action="/jquery/jquery/reactions" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" name="authenticity_token" value="nSAaBIPQvMqxqL4urGUk3LtPM_sXCask4XtsIYmNiaWZZLGqw4Du3jJ9DRADMC9zAxYaScyDFpl90uP1Vyi7qw" autocomplete="off" /> <input type="hidden" name="input[subjectId]" value="IC_kwDOAAKNBs435uG1"> <input type="hidden" name="input[context]" value="" > <div class="js-comment-reactions-options d-flex flex-items-center flex-row flex-wrap"> <div class="js-reactions-container"> <details class="dropdown details-reset details-overlay d-inline-block js-all-reactions-popover" hidden> <summary aria-haspopup="true" data-view-component="true" class="Button--link Button--medium Button"> <span class="Button-content"> <span class="Button-label">All reactions</span> </span> </summary> <ul class="dropdown-menu dropdown-menu-se"> </ul> </details> </div> </div> </form></div> </div> </div> </div> </option></form><form class="js-comment-update" id="issuecomment-937877941-edit-form" data-turbo="false" action="/jquery/jquery/issue_comments/937877941" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="jVbwzpkDF/Fq8IHBD+dqNqroLCBr24pR7pL9OY5Tr1uikMo45gGPSCtrQryMJDwp+OhjFBtWrMUIsU02oZUjcw==" /> <include-fragment loading="lazy" src="/jquery/jquery/issue_comments/937877941/edit_form?textarea_id=issuecomment-937877941-body&comment_context=" class="previewable-comment-form js-comment-edit-form-deferred-include-fragment" > <p class="text-center mt-3" data-hide-on-error> <span data-view-component="true"> <svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate"> <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" fill="none" /> <path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" /> </svg></span> </p> <p class="ml-1 mb-2 mt-2" data-show-on-error hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> Sorry, something went wrong. </p> </include-fragment> </form> </div> </div> </div> </div> <div class="js-timeline-item js-timeline-progressive-focus-container" data-gid="CRE_kwDOAAuOc85EAEx7"> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/shhnjk/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/shhnjk"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/6134073?s=40&v=4" width="20" height="20" alt="@shhnjk" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/shhnjk/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/shhnjk">shhnjk</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-1020806793" > <relative-time datetime="2021-10-08T07:55:44Z" class="no-wrap">Oct 8, 2021</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-1020806793" > <a href="/knockout/knockout/issues/2579" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/knockout/knockout/issues/2579/hovercard"> Add support for Trusted Types <span class="color-fg-muted text-normal" >knockout/knockout#2579</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Open" data-view-component="true" class="State State--open State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-opened flex-items-center mr-1"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> Open </span> </div> </div> </div> </div> <div class="TimelineItem" > <span class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </span> <div class="TimelineItem-body" id="ref-commit-b567c7a"> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/spaze/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/spaze">spaze</a> added a commit to spaze/michalspacek.cz that referenced this issue <a href="#ref-commit-b567c7a" class="Link--secondary"> <relative-time datetime="2021-12-19T02:40:56Z" class="no-wrap">Dec 19, 2021</relative-time> </a> <div class="mt-3"> <div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzoxNjM2NDE3MzA6Y29tbWl0OmI1NjdjN2E1YjQyZDkxYmFkNTAyZWJlYzQ3NmM1NDczZmMyZDlkNGUiLCJ0IjoxNzMyODQwMTcxfQ==--cd21fd221788098ebf417bf0652c2be8dd6cff240653f9ab4a1bdc846f104eaa" data-url="/spaze/michalspacek.cz/commit/b567c7a5b42d91bad502ebec476c5473fc2d9d4e/show_partial?partial=commit%2Fcondensed_details"> <div class="d-flex flex-md-row flex-column"> <div class="d-flex flex-auto"> <div class="AvatarStack flex-self-start " > <div class="AvatarStack-body" > <a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/spaze/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/spaze"> <img data-test-selector="commits-avatar-stack-avatar-image" src="https://avatars.githubusercontent.com/u/1966648?s=40&u=d93700db363832753091505b3d976ae708ef0dac&v=4" width="20" height="20" alt="@spaze" class=" avatar-user" /> </a> </div> </div> <div class="pr-1 flex-auto min-width-0" > <code> <a title="Remove trusted types requirement, it generates a lot of reports For example jQuery 3.x is not ready https://github.com/jquery/jquery/issues/4409 Partially reverts #8" data-pjax="true" class="Link--secondary markdown-title" href="/spaze/michalspacek.cz/commit/b567c7a5b42d91bad502ebec476c5473fc2d9d4e">Remove trusted types requirement, it generates a lot of reports</a> </code> <span class="hidden-text-expander inline"> <button type="button" class="ellipsis-expander js-details-target" aria-expanded="false">…</button> </span> </div> <div class="pr-1 d-md-inline-block d-none"> <batch-deferred-content class="d-inline-block" data-url="/commits/badges"> <input type="hidden" name="id" value="C_kwDOCcD5gtoAKGI1NjdjN2E1YjQyZDkxYmFkNTAyZWJlYzQ3NmM1NDczZmMyZDlkNGU" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="badge_size" value="small" data-targets="batch-deferred-content.inputs" autocomplete="off" /> <input type="hidden" name="dropdown_direction" value="w" data-targets="batch-deferred-content.inputs" autocomplete="off" /> </batch-deferred-content> </div> <div class="pr-1 flex-shrink-0" style="width: 16px;"> </div>  <div class="text-right ml-1"> <code> <a href="/spaze/michalspacek.cz/commit/b567c7a5b42d91bad502ebec476c5473fc2d9d4e" class="Link--secondary">b567c7a</a> </code> </div> </div> </div> <div class="Details-content--hidden mt-2"> <pre class="color-fg-muted ws-pre-wrap">For example jQuery 3.x is not ready <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="448964638" data-permission-text="Title is private" data-url="https://github.com/jquery/jquery/issues/4409" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/4409/hovercard" href="https://github.com/jquery/jquery/issues/4409">jquery/jquery#4409</a> Partially reverts <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1083860906" data-permission-text="Title is private" data-url="https://github.com/spaze/michalspacek.cz/issues/8" data-hovercard-type="pull_request" data-hovercard-url="/spaze/michalspacek.cz/pull/8/hovercard" href="https://github.com/spaze/michalspacek.cz/pull/8">#8</a></pre> </div> </div> </div> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/spaze/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/spaze"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1966648?s=40&u=d93700db363832753091505b3d976ae708ef0dac&v=4" width="20" height="20" alt="@spaze" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/spaze/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/spaze">spaze</a> mentioned this issue <a class="Link--secondary" href="#ref-pullrequest-1083994879" > <relative-time datetime="2021-12-19T02:41:03Z" class="no-wrap">Dec 19, 2021</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-pullrequest-1083994879" > <a href="/spaze/michalspacek.cz/pull/10" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="pull_request" data-hovercard-url="/spaze/michalspacek.cz/pull/10/hovercard"> Remove trusted types requirement, it generates a lot of reports <span class="color-fg-muted text-normal" >spaze/michalspacek.cz#10</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Merged" data-view-component="true" class="State State--merged State--small"> <svg height="14" class="octicon octicon-git-merge" viewBox="0 0 16 16" version="1.1" width="14" aria-hidden="true"><path d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z"></path></svg> Merged </span> </div> </div> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/kkmuffme/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/kkmuffme"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/11071985?s=40&v=4" width="20" height="20" alt="@kkmuffme" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/kkmuffme/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/kkmuffme">kkmuffme</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-1345542830" > <relative-time datetime="2022-08-21T17:07:47Z" class="no-wrap">Aug 21, 2022</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-1345542830" > <a href="/jquery/jquery/issues/5094" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/5094/hovercard"> Trusted Types - use setHTML instead of innerHTML internally <span class="color-fg-muted text-normal" >#5094</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Open" data-view-component="true" class="State State--open State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-opened flex-items-center mr-1"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> Open </span> </div> </div> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&u=b8bbaee0cb1861098456b83b8674e0a6897fc9f3&v=4" width="20" height="20" alt="@mgol" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol">mgol</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-1415497539" > <relative-time datetime="2022-10-19T20:06:07Z" class="no-wrap">Oct 19, 2022</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-1415497539" > <a href="/jquery/jquery/issues/5144" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/jquery/jquery/issues/5144/hovercard"> Trusted Type Violation. Line 133 <span class="color-fg-muted text-normal" >#5144</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Closed as not planned" data-view-component="true" class="State State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-skip flex-items-center mr-1"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm9.78-2.22-5.5 5.5a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l5.5-5.5a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> Closed </span> </div> </div> </div> </div> <div class="TimelineItem"> <div class="TimelineItem-badge"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-cross-reference"> <path d="M2.75 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-2.5a.75.75 0 0 1 1.5 0v2.5A1.75 1.75 0 0 1 13.25 13H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 14.543V13H2.75A1.75 1.75 0 0 1 1 11.25v-7.5C1 2.784 1.784 2 2.75 2h5.5a.75.75 0 0 1 0 1.5ZM16 1.25v4.146a.25.25 0 0 1-.427.177L14.03 4.03l-3.75 3.75a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l3.75-3.75-1.543-1.543A.25.25 0 0 1 11.604 1h4.146a.25.25 0 0 1 .25.25Z"></path> </svg> </div> <div class="TimelineItem-body" > <div > <a class="d-inline-block" data-hovercard-type="user" data-hovercard-url="/users/onestep/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/onestep"><img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1419318?s=40&v=4" width="20" height="20" alt="@onestep" /></a> <a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/onestep/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/onestep">onestep</a> mentioned this issue <a class="Link--secondary" href="#ref-issue-498822349" > <relative-time datetime="2023-04-04T14:39:52Z" class="no-wrap">Apr 4, 2023</relative-time> </a> </div> <div class="mt-2 d-flex flex-items-start flex-column flex-md-row"> <div class="flex-auto wb-break-word" id="ref-issue-498822349" > <a href="/KartikTalwar/gmail.js/issues/592" class="Link--primary f4 text-bold markdown-title" data-hovercard-type="issue" data-hovercard-url="/KartikTalwar/gmail.js/issues/592/hovercard"> Relying on jquery <span class="color-fg-muted text-normal" >KartikTalwar/gmail.js#592</span> </a> </div> <div class="flex-shrink-0 my-1 my-md-0 ml-md-3"> <span title="Status: Open" data-view-component="true" class="State State--open State--small d-flex flex-items-center"> <svg aria-hidden="true" height="12" viewBox="0 0 16 16" version="1.1" width="12" data-view-component="true" class="octicon octicon-issue-opened flex-items-center mr-1"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> Open </span> </div> </div> </div> </div> </div>  <div class="js-timeline-marker js-socket-channel js-updatable-content" id="partial-timeline" data-channel="eyJjIjoiaXNzdWU6NDQ4OTY0NjM4IiwidCI6MTczMjg0MDE3MX0=--710acd10d85be59e9ff0fc5958d522d54fd642d35c21173ed6f40ada82c3d9ba" data-url="/jquery/jquery/issues/4409/partials/unread_timeline?issue=4409&since=2023-04-04T14%3A39%3A52.000000000Z" data-last-modified="2023-04-04T14:39:52.000000000Z" data-morpheus-enabled="false" data-gid="MDU6SXNzdWU0NDg5NjQ2Mzg="> </option></form><form class="d-none js-timeline-marker-form" data-turbo="false" action="/_graphql/MarkNotificationSubjectAsRead" accept-charset="UTF-8" data-remote="true" method="post"><input type="hidden" data-csrf="true" name="authenticity_token" value="Xx3aCJV6n2YIrbnu2oK29pyo8iaRHjx5rD2GSOMcfUDzfmQ5y893fBfSLFzOZ43422Qef0EB1e9JqTL3BHo0NQ==" /> <input type="hidden" name="variables[subjectId]" value="MDU6SXNzdWU0NDg5NjQ2Mzg="> </form> </div> </div> </div> <span id="issue-comment-box"></span> <div class="discussion-timeline-actions"> <div data-view-component="true" class="flash flash-warn mt-3"> <a rel="nofollow" class="btn btn-primary" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"signed out comment","repository_id":167174,"auth_type":"SIGN_UP","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="e0344a5c5fef56f1cc4a71d8d72fe04781322d956d90c53f1a4f2b314ce99597" href="/join?source=comment-repo">Sign up for free</a> <strong>to join this conversation on GitHub</strong>. Already have an account? <a rel="nofollow" class="Link--inTextBlock" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"signed out comment","repository_id":167174,"auth_type":"LOG_IN","originating_url":"https://github.com/jquery/jquery/issues/4409","user_id":null}}" data-hydro-click-hmac="c85dd0e05a2b9c7f035d3e94b8c88dd78a758dd158a204a826688fb21ed3c6f8" data-test-selector="comments-sign-in-link" href="/login?return_to=https%3A%2F%2Fgithub.com%2Fjquery%2Fjquery%2Fissues%2F4409">Sign in to comment</a> </div> </div> </div> </div> <div data-view-component="true" class="Layout-sidebar"> <div id="partial-discussion-sidebar" class="js-socket-channel js-updatable-content" data-channel="eyJjIjoiaXNzdWU6NDQ4OTY0NjM4IiwidCI6MTczMjg0MDE2OX0=--8a452e198aa51c17d49e0a17675d695c39ef062c5017db658688388e89797086" data-gid="MDU6SXNzdWU0NDg5NjQ2Mzg=" data-url="/jquery/jquery/issues/4409/show_partial?partial=issues%2Fsidebar" data-project-hovercards-enabled> <div class="discussion-sidebar-item sidebar-assignee js-discussion-sidebar-item" > </option></form><form class="js-issue-sidebar-form" aria-label="Select assignees" data-turbo="false" action="/jquery/jquery/issues/4409/assignees" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="pkcL0ke/iGi0kchnyC2/UZp6nqgMuJH8HNPdPasglxl9+8EtdQFu7v9GT5cwXbpv9t9cHCJhJF8JgJ88fCiuPQ==" /> <div class="discussion-sidebar-heading text-bold"> Assignees </div> <span class="css-truncate js-issue-assignees"> <p> <span class="d-flex min-width-0 flex-1 js-hovercard-left" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard?bot=copilot-pull-request-reviewer" data-assignee-name="mgol"> <a class="no-underline" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img class="avatar mr-1 avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=40&v=4" width="20" height="20" alt="@mgol" /> </a> <a class="assignee Link--primary css-truncate-target width-fit" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <span class="css-truncate-target width-fit v-align-middle">mgol</span> </a> <span class="reviewers-status-icon v-hidden" aria-hidden="true"></span> </span> </p> </span> </form></div> <div class="discussion-sidebar-item js-discussion-sidebar-item" > <div class="discussion-sidebar-heading text-bold"> Labels </div> <div class="js-issue-labels d-flex flex-wrap"> <a id="label-b025ca" href="/jquery/jquery/labels/Core" data-name="Core" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Core</span> </a> <a id="label-e8021c" href="/jquery/jquery/labels/Has%20Pull%20Request" data-name="Has Pull Request" style="--label-r:191;--label-g:229;--label-b:191;--label-h:120;--label-s:42;--label-l:82;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Has Pull Request</span> </a> <a id="label-cc3382" href="/jquery/jquery/labels/Manipulation" data-name="Manipulation" style="--label-r:0;--label-g:82;--label-b:204;--label-h:215;--label-s:100;--label-l:40;" data-view-component="true" class="IssueLabel hx_IssueLabel width-fit mb-1 mr-1"> <span class="css-truncate css-truncate-target width-fit">Manipulation</span> </a> </div> </div> <div class="discussion-sidebar-item sidebar-progress-bar js-discussion-sidebar-item" > </option></form><form class="js-issue-sidebar-form" aria-label="Select milestones" data-turbo="false" action="/jquery/jquery/issues/4409/set_milestone?partial=issues%2Fsidebar%2Fshow%2Fmilestone" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="JosBcDdVT2drZDBcK15VrZIxjwOMqKiES1HFNh9e9IGHxSg2ErkiQqLnFNYXQhjuCUrC31lg8kralZ2RCp/X1g==" /> <div class="discussion-sidebar-heading text-bold"> Milestone </div> <span data-view-component="true" class="Progress mt-1 mb-2"> <span style="width: 98.69565217391305%;" data-view-component="true" class="Progress-item color-bg-success-emphasis"></span> </span> <a title="4.0.0" href="/jquery/jquery/milestone/7" class="Link--secondary mt-1 d-block text-bold css-truncate"> <strong class="css-truncate-target width-fit">4.0.0</strong> </a> </form></div> <create-branch data-default-repo="jquery/jquery" data-selected-nwo="jquery/jquery" data-default-source-branch="main" data-sidebar-url="/jquery/jquery/issues/closing_references/partials/sidebar?source_id=448964638&source_type=ISSUE" class="discussion-sidebar-item d-block"> <div class="js-discussion-sidebar-item" data-target="create-branch.sidebarContainer"> <div data-issue-and-pr-hovercards-enabled > <development-menu> </option></form><form data-target="create-branch.developmentForm" data-turbo="false" class="js-issue-sidebar-form" aria-label="Link issues" action="/jquery/jquery/issues/closing_references?source_id=448964638&source_type=ISSUE" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="put" autocomplete="off" /><input type="hidden" data-csrf="true" name="authenticity_token" value="K1ZBhqf0c1Ob+e8SUX5A742KCJgpnZLACzzH69Si1gi/RT8w7+7HR+H12wNP42WDW9NtI2+k2zV3t0q8iMKW/A==" /> <div class="discussion-sidebar-heading text-bold" > Development </div> <p>Successfully merging a pull request may close this issue.</p> <div class="my-1"> <span data-view-component="true" class="Truncate truncate-with-responsive-width"> <a href="/jquery/jquery/pull/4927" data-hydro-click="{"event_type":"issue_cross_references.click","payload":{"reference_location":"ISSUE_SIDEBAR","user_id":null,"issue_id":448964638,"pull_request_id":730924715,"originating_url":"https://github.com/jquery/jquery/issues/4409"}}" data-hydro-click-hmac="f516d87ddde9a63fff77f1d756d8b9fc2645df25b873c919cb759be92a7ae589" data-hovercard-type="pull_request" data-hovercard-url="/jquery/jquery/pull/4927/hovercard" data-view-component="true" class="Truncate-text Link--primary markdown-title text-bold d-block"> <svg class="octicon octicon-git-merge merged color-fg-done" title="Merged" aria-label="Merged Pull Request" viewBox="0 0 16 16" version="1.1" width="16" height="16" role="img"><path d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z"></path></svg> Core:Manipulation: Add basic TrustedHTML support </a> </span> <a href="/mgol/jquery" class="d-block Link--muted f6 pl-1 ml-3"> mgol/jquery </a> </div> </form> </development-menu> </div> </div> </create-branch> <div id="partial-users-participants" class="discussion-sidebar-item"> <div class="participation"> <div class="discussion-sidebar-heading text-bold"> 6 participants </div> <div class="participation-avatars d-flex flex-wrap"> <a class="participant-avatar" data-hovercard-type="user" data-hovercard-url="/users/koto/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/koto"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/128171?s=52&v=4" width="26" height="26" alt="@koto" /> </a> <a class="participant-avatar" data-hovercard-type="user" data-hovercard-url="/users/dmethvin/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/dmethvin"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/157858?s=52&v=4" width="26" height="26" alt="@dmethvin" /> </a> <a class="participant-avatar" data-hovercard-type="user" data-hovercard-url="/users/timmywil/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/timmywil"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/192451?s=52&v=4" width="26" height="26" alt="@timmywil" /> </a> <a class="participant-avatar" data-hovercard-type="user" data-hovercard-url="/users/mgol/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/mgol"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/1758366?s=52&v=4" width="26" height="26" alt="@mgol" /> </a> <a class="participant-avatar" data-hovercard-type="user" data-hovercard-url="/users/zwjohn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/zwjohn"> <img class="avatar avatar-user" src="https://avatars.githubusercontent.com/u/19634524?s=52&v=4" width="26" height="26" alt="@zwjohn" /> </a> <span class="participation-more">and others</span> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </turbo-frame> </main> </div> </div> <footer class="footer pt-8 pb-6 f6 color-fg-muted p-responsive" role="contentinfo" > <h2 class='sr-only'>Footer</h2> <div class="d-flex flex-justify-center flex-items-center flex-column-reverse flex-lg-row flex-wrap flex-lg-nowrap"> <div class="d-flex flex-items-center flex-shrink-0 mx-2"> <a aria-label="Homepage" title="GitHub" class="footer-octicon mr-2" href="https://github.com"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-mark-github"> <path d="M12.5.75C6.146.75 1 5.896 1 12.25c0 5.089 3.292 9.387 7.863 10.91.575.101.79-.244.79-.546 0-.273-.014-1.178-.014-2.142-2.889.532-3.636-.704-3.866-1.35-.13-.331-.69-1.352-1.18-1.625-.402-.216-.977-.748-.014-.762.906-.014 1.553.834 1.769 1.179 1.035 1.74 2.688 1.25 3.349.948.1-.747.402-1.25.733-1.538-2.559-.287-5.232-1.279-5.232-5.678 0-1.25.445-2.285 1.178-3.09-.115-.288-.517-1.467.115-3.048 0 0 .963-.302 3.163 1.179.92-.259 1.897-.388 2.875-.388.977 0 1.955.13 2.875.388 2.2-1.495 3.162-1.179 3.162-1.179.633 1.581.23 2.76.115 3.048.733.805 1.179 1.825 1.179 3.09 0 4.413-2.688 5.39-5.247 5.678.417.36.776 1.05.776 2.128 0 1.538-.014 2.774-.014 3.162 0 .302.216.662.79.547C20.709 21.637 24 17.324 24 12.25 24 5.896 18.854.75 12.5.75Z"></path> </svg> </a> <span> © 2024 GitHub, Inc. </span> </div> <nav aria-label="Footer"> <h3 class="sr-only" id="sr-footer-heading">Footer navigation</h3> <ul class="list-style-none d-flex flex-justify-center flex-wrap mb-2 mb-lg-0" aria-labelledby="sr-footer-heading"> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to Terms","label":"text:terms"}" href="https://docs.github.com/site-policy/github-terms/github-terms-of-service" data-view-component="true" class="Link--secondary Link">Terms</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to privacy","label":"text:privacy"}" href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement" data-view-component="true" class="Link--secondary Link">Privacy</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to security","label":"text:security"}" href="https://github.com/security" data-view-component="true" class="Link--secondary Link">Security</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to status","label":"text:status"}" href="https://www.githubstatus.com/" data-view-component="true" class="Link--secondary Link">Status</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to docs","label":"text:docs"}" href="https://docs.github.com/" data-view-component="true" class="Link--secondary Link">Docs</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to contact","label":"text:contact"}" href="https://support.github.com?tags=dotcom-footer" data-view-component="true" class="Link--secondary Link">Contact</a> </li> <li class="mx-2" > <cookie-consent-link> <button type="button" class="Link--secondary underline-on-hover border-0 p-0 color-bg-transparent" data-action="click:cookie-consent-link#showConsentManagement" data-analytics-event="{"location":"footer","action":"cookies","context":"subfooter","tag":"link","label":"cookies_link_subfooter_footer"}" > Manage cookies </button> </cookie-consent-link> </li> <li class="mx-2"> <cookie-consent-link> <button type="button" class="Link--secondary underline-on-hover border-0 p-0 color-bg-transparent" data-action="click:cookie-consent-link#showConsentManagement" data-analytics-event="{"location":"footer","action":"dont_share_info","context":"subfooter","tag":"link","label":"dont_share_info_link_subfooter_footer"}" > Do not share my personal information </button> </cookie-consent-link> </li> </ul> </nav> </div> </footer> <ghcc-consent id="ghcc" class="position-fixed bottom-0 left-0" style="z-index: 999999" data-initial-cookie-consent-allowed="" data-cookie-consent-required="false"></ghcc-consent> <div id="ajax-error-message" class="ajax-error-message flash flash-error" hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <button type="button" class="flash-close js-ajax-error-dismiss" aria-label="Dismiss error"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> You can’t perform that action at this time. </div> <template id="site-details-dialog"> <details class="details-reset details-overlay details-overlay-dark lh-default color-fg-default hx_rsm" open> <summary role="button" aria-label="Close dialog"></summary> <details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast hx_rsm-dialog hx_rsm-modal"> <button class="Box-btn-octicon m-0 btn-octicon position-absolute right-0 top-0" type="button" aria-label="Close dialog" data-close-dialog> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div class="octocat-spinner my-6 js-details-dialog-spinner"></div> </details-dialog> </details> </template> <div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;"> <div class="Popover-message Popover-message--bottom-left Popover-message--large Box color-shadow-large" style="width:360px;"> </div> </div> <template id="snippet-clipboard-copy-button"> <div class="zeroclipboard-container position-absolute right-0 top-0"> <clipboard-copy aria-label="Copy" class="ClipboardButton btn js-clipboard-copy m-2 p-0" data-copy-feedback="Copied!" data-tooltip-direction="w"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copy js-clipboard-copy-icon m-2"> <path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 0 1 0 1.5h-1.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-1.5a.75.75 0 0 1 1.5 0v1.5A1.75 1.75 0 0 1 9.25 16h-7.5A1.75 1.75 0 0 1 0 14.25Z"></path><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0 1 14.25 11h-7.5A1.75 1.75 0 0 1 5 9.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check js-clipboard-check-icon color-fg-success d-none m-2"> <path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path> </svg> </clipboard-copy> </div> </template> <template id="snippet-clipboard-copy-button-unpositioned"> <div class="zeroclipboard-container"> <clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copy js-clipboard-copy-icon"> <path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 0 1 0 1.5h-1.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-1.5a.75.75 0 0 1 1.5 0v1.5A1.75 1.75 0 0 1 9.25 16h-7.5A1.75 1.75 0 0 1 0 14.25Z"></path><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0 1 14.25 11h-7.5A1.75 1.75 0 0 1 5 9.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check js-clipboard-check-icon color-fg-success d-none"> <path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path> </svg> </clipboard-copy> </div> </template> </div> <div id="js-global-screen-reader-notice" class="sr-only mt-n1" aria-live="polite" aria-atomic="true" ></div> <div id="js-global-screen-reader-notice-assertive" class="sr-only mt-n1" aria-live="assertive" aria-atomic="true"></div> </body> </html>