jQuery UI 1.13 Upgrade Guide

• Overview
• Reminder: API Redesigns
• General changes
  • Security fixes
  • Strict mode
  • Files & directory structure
  • Newer Core features
  • Dropped support for jQuery 1.7
  • Dropped $.ui.escapeSelector
• Accordion
  • Added function value for a header option
• Datepicker
  • Added onUpdateDatepicker callback
  • altField no longer accepts HTML input
  • Various *Text options no longer accept HTML input
• Position
  • of is treated as a CSS selector

link Overview

This guide will assist in upgrading from jQuery UI 1.12.x to jQuery UI 1.13.x. All changes are listed below, organized by plugin, along with how to upgrade your code to work with jQuery UI 1.13.

link Reminder: API Redesigns

jQuery UI 1.12 introduced API redesigns for Button, Buttonset, Dialog, Draggable, Droppable, Menu, Mouse, Resizable, Selectable, Sortable, Tabs, Tooltip, and Effects. You can read about the API redesign process on the jQuery UI Blog. Although the redesigns introduced breaking changes, 1.12 & 1.13 maintains a lot of compatibility with the 1.11 API by default. This is accomplished by rebuilding the 1.11 API on top of the 1.12/1.13 API. The default behavior for all 1.12 & 1.13 releases will be to simultaneously use the 1.11 and 1.12/1.13 APIs where possible. If you would like to load just the 1.12/1.13 API without the 1.11 API to prepare for jQuery UI 1.14, you can set the $.uiBackCompat flag to false.

<script src="jquery.js"></script>
<script>$.uiBackCompat = false;</script>
<script src="jquery-ui.js"></script>

If you find a regression from the 1.11 API, please report it in the bug tracker. Even though the 1.11 API is deprecated, it's important for 1.13 releases not to regress so that users are encouraged to upgrade even if they're not ready to use the new APIs.

link General changes

The main focus of this release was improving compatibility with recent jQuery versions. Removal of deprecated APIs and removal of legacy browser support are not included. Therefore, the number of breaking changes is extremely limited compared to previous upgrades.

link Security fixes

A few security fixes have landed in this release; they're marked with their assigned CVEs below.

link Strict mode

Both the compiled jQuery UI JavaScript files and all individual AMD modules now use ECMAScript 5 strict mode. This shouldn't be noticeable to most users; some older debugging tools may not be able to step through the code, though.

A similar change has been live in jQuery since version 3.0.0, so we're optimistic this will not cause issues for jQuery UI either.

link Files & directory structure

There have been some minor changes to source files:

• Source has been migrated from JSHint + JSCS to ESLint. The linter config files are no longer included in the jquery-ui npm package.
• The file jquery-1-7.js has been renamed to ui/jquery-patch.js since it includes patches for all jQuery versions from 1.8 to 3.4 inclusive.
• The jQuery Color library is no longer inlined into the ui/effects.js module; instead, it lies in ui/vendor/jquery-color/jquery-color.js and ui/effects.js declares an AMD dependency on the file.
• The file ui/escape-selector.js has been removed.

link Newer Core features

As part of making sure jQuery UI doesn't depend on deprecated Core APIs, we started using some newer Core APIs, polyfilling them in the jquery-patch.js file for older jQuery versions. If you haven't included jquery-1-7.js in your bundle of jQuery UI 1.12.x, you may still need to include jquery-patch.js when migrating to UI 1.13.x; it's required for all jQuery versions older than 3.5.0.

link Dropped support for jQuery 1.7

(gh-1923, b61b16b) jQuery UI no longer supports jQuery 1.7. The minimal supported version is now 1.8.0.

link Dropped $.ui.escapeSelector

The private $.ui.escapeSelector API has been dropped in favor of a jQuery $.escapeSelector one. That API is only available in jQuery 3.0.0 & newer but jQuery UI polyfills it via ui/jquery-patch.js for older jQuery versions.

link Accordion

link Added function value for a header option

(gh-1904, 0c860b0) Accordion’s header option may now accept not only a selector matching header elements:

$( ".selector" ).accordion( {
  header: "h3"
} );

but also a function taking the accordion element as a parameter and returning the header elements:

$( ".selector" ).accordion( {
  header: function ( accordionElement ) {
    return accordionElement.find( "h3" );
  }
} );

link Datepicker

link Added onUpdateDatepicker callback

(gh-1912, 17d115b, a12c985) Datepicker options now include the optional onUpdateDatepicker callback, called when the datepicker widget’s DOM is updated.

link altField no longer accepts HTML input

(CVE-2021-41182, gh-1954, 3285086) Due to a bug, the altField option used to accept HTML input that created fresh elements. This is now fixed and all string input is treated as a CSS selector.

link Various *Text options no longer accept HTML input

(CVE-2021-41183, trac-15284, gh-1953, afe20b7) Various Datepicker *Text options: appendText, buttonText, closeText, currentText, nextText and prevText used to erroneously accept HTML input despite never documented to do so. That disconnect between docs & reality can lead to security issues so the options now only accept text input.

link Position

link of is treated as a CSS selector

(CVE-2021-41184, gh-1955, effa323) Due to a bug, the of option used to accept HTML input that created fresh elements. This is now fixed and all string input is treated as a CSS selector.