jQuery 3.5.0 Is Now Available

Now the jQuery.htmlPrefilter function does not use a regex and passes the string through unchanged.

The team behind announced the release of jQuery 3.5.0, featuring better security, bug fixes and many new features.
 
According to the team, the main update in this release is a security fix. jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. But sometimes the regex was introducing a cross-site scripting (XSS) vulnerability. In 3.5 the jQuery.htmlPrefilter function does not use a regex and passes the string through unchanged.
 
With "positional selectors" being deprecated and slated for removal in jQuery 4.0, the team has added the last two necessary replacement methods. The .even() and .odd() methods have been added to replace the :even and :odd selectors.
 
3.5 also features the ability to add a context to jQuery.globalEval. This has been done as part of fixing a bug with script execution in iframes.
 
 
 
Earlier, jQuery used to evaluate any response to a request for a script as a script, which is not always the desired behavior. jQuery 3.5.0 only evaluates successful HTTP responses.
 
Other enhancements include performance improvements in Sizzle, support for massive arrays in jQuery.map, using the native .flat() method where supported, a fix for syntax errors in the AMD modules, several improvements to the testing infrastructure, and more.
 
The team also announced the release of a "slim" version of jQuery that excludes ajax, or many standalone libraries that focus on ajax requests. This slim build is nearly 6k gzipped bytes tinier than the regular version.


Next Recommended Reading New jQuery website launched