Add an upgrade guide for jQuery 3.5.0

Closes #196

Author: mgol

pages/download.md

@@ -16,7 +16,7 @@ To locally download these files, right-click the link and select "Save as..." fr
 
 ### jQuery
 
-For help when upgrading jQuery, please see the [upgrade guide](https://jquery.com/upgrade-guide/) most relevant to your version.
+For help when upgrading jQuery, please see the [upgrade guide](/upgrade-guide/) most relevant to your version.
 We also recommend using the [jQuery Migrate plugin](https://github.com/jquery/jquery-migrate).
 
 <a href="https://code.jquery.com/jquery-3.4.1.min.js" download>Download the compressed, production jQuery 3.4.1</a>

pages/upgrade-guide.md

@@ -3,6 +3,8 @@
 	"noHeadingLinks": true
 }</script>
 
+## [3.5 Upgrade Guide](/upgrade-guide/3.5/)
+
 ## [3.0 Upgrade Guide](/upgrade-guide/3.0/)
 
 ## [1.9 Upgrade Guide](/upgrade-guide/1.9/)

pages/upgrade-guide/3.0.md

@@ -3,10 +3,6 @@
 	"toc": true
 }</script>
 
-
-
-# jQuery Core 3.0 Upgrade Guide
-
 ## Overview
 
 With the major version of 3.0, the jQuery Core team has taken the opportunity to make changes to clean up the API and fix bugs that may prove to be breaking changes for some code. This includes the removal of previously deprecated public APIs, changes to or removal of undocumented APIs, and changes to the documented or undocumented behavior of existing APIs for specific inputs.

pages/upgrade-guide/3.5.md

@@ -0,0 +1,57 @@
+<script>{
+	"title": "jQuery Core 3.5 Upgrade Guide"
+}</script>
+
+## jQuery.htmlPrefilter changes
+
+### A workaround
+
+If you want to upgrade to jQuery 3.5.0 or newer and don't have time to deal with breaking changes at the moment and you use jQuery Migrate 3.2.0 or newer, you can revert to the previous behavior by invoking:
+```js
+jQuery.UNSAFE_restoreLegacyHtmlPrefilter();
+```
+
+If you don't use jQuery Migrate, don't add it just for this one workaround. Instead, you can revert to the previous behavior by redefining `jQuery.htmlPrefilter` after loading jQuery:
+```js
+var rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi;
+jQuery.htmlPrefilter = function( html ) {
+	return html.replace( rxhtmlTag, "<$1></$2>" );
+};
+```
+
+Note that if you do this, you lose the jQuery 3.5.0 security fix and you have to be more careful with what HTML you pass to jQuery manipulation methods; regular HTML sanitizing will not be enough. Some security libraries have special sanitization settings for jQuery. For example, [DOMPurify](https://github.com/cure53/DOMPurify) has a `SAFE_FOR_JQUERY` flag:
+```js
+var sanitizedHtml = DOMPurify.sanitize( unsafeHtml, { SAFE_FOR_JQUERY: true } );
+elem.html( sanitizedHtml );
+```
+
+### Description of the change
+
+`jQuery.htmlPrefilter` modifies and filters HTML strings passed through [jQuery manipulation methods](/category/manipulation/). The default value of this function in jQueries older than 3.5.0 used to replace XHTML-like tags with versions that work in HTML. For example, previously the following:
+```js
+jQuery( "<div/><span/>" );
+```
+would create the following structure:
+```html
+<div></div>
+<span></span>
+```
+because `<div/>` was replaced with `<div></div>` & `<span/>` with `<span></span>`.
+
+jQuery 3.5.0 has changed `jQuery.htmlPrefilter` to be an identity function. That means that the above `jQuery` call would now create above HTML structure only in XML mode of HTML (called also as XHTML) but in regular HTML mode you would now get:
+```html
+<div>
+	<span></span>
+</div>
+```
+
+To avoid this, don't use self-closing tags for tags that may have content unless you page runs in XHTML mode. Make sure you're sending a correct mime type: `application/xhtml+xml`; otherwise, your page will really run in HTML mode. 
+
+If you're writing a library and you want it to work both in HTML & XHTML modes, remember to use self-closing tags for empty elements, i.e. ones that don't have closing tags in HTML. For example, instead of:
+```js
+jQuery( "<div/><img/>" );
+```
+do this:
+```js
+jQuery( "<div></div><img/>" );
+```